diff --git a/schemas/related.yml b/schemas/related.yml
index b052fa3c0..956a9a4a4 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -70,3 +70,25 @@
         identifiers include FQDNs, domain names, workstation names, or aliases.
       normalize:
         - array
+
+    - name: mac
+      level: extended
+      type: keyword
+      short: All the mac addresses seen on your event.
+      description: >
+        All the mac addresses seen on your event. The mac addresses should be standardized
+        before they populate this array. For this, The notation format from RFC 7042 is suggested: 
+        Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving 
+        the value of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
+      normalize:
+        - array
+
+    - name: port
+      level: extended
+      type: long
+      short: All the port numbers seen on your event.
+      description: >
+        All the port numbers seen on your event, as specified by RFC 6335
+      normalize:
+        - array