Added ECS mappings for SMTP/Email data

[mbudge]

Adding email ECS mappings for review.

This is after adding fields from an email service provider and finding no common mappings in ECS.

Common fields can be found in the Mimecast logs.
https://www.mimecast.com/tech-connect/documentation/tutorials/understanding-siem-logs/

Added extra fields for users who manually parse logs or do TCP re-assembly SMTP packet captures to get the email data, which they can use to check email headers and detected spoofing and SPF errors.

File and hash metadata from attachments and URL's can store data in existing ECS fields.

[webmat]

Thanks for submitting this! It's very detailed and I happen to have some knowledge in building an email monitoring pipeline (mine was based on SendGrid's event webhook).

I won't be able to review this in depth just yet. More likely at the end of this month, or next month.

But I agree support for email would be good to have in ECS.

In the meantime, if you're able to provide sample logs (stripped of private information, of course), that would help get right into the meat of the subject, when the time comes :-)

[webmat]

Note to self: also check out elastic/beats#13466, in particular packetbeat/protos/smtp/_meta/fields.yml

[webmat]

Thanks again for opening this, @mbudge!

This won't get in as is. However I've just opened a meta-issue #939 to discuss email support in ECS. So I'm closing in favor of the meta issue.

Everything's linked together, and we'll make sure to review this PR when we plan this 🙂 ❤️