Fix code review feedback: remove erroneous category, use field existence checks

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-19 21:02:39 +00:00
co-authored by seanthegeek
parent 2d2e2bc261
commit 3dbf21f072
+77 -83
View File
@@ -40,7 +40,7 @@ filter {
# --------------------------------------------------------------------------
# Aggregate reports contain "header_from" and "dmarc_aligned"
if [header_from] != "" {
if [header_from] {
mutate {
replace => {
"report_type" => "aggregate"
@@ -49,7 +49,7 @@ filter {
}
# Forensic reports contain "feedback_type"
if [feedback_type] != "" {
if [feedback_type] {
mutate {
replace => {
"report_type" => "forensic"
@@ -58,7 +58,7 @@ filter {
}
# SMTP TLS reports contain "policy_type"
if [policy_type] != "" {
if [policy_type] {
mutate {
replace => {
"report_type" => "smtp_tls"
@@ -78,7 +78,7 @@ filter {
}
# -- metadata --
if [report_id] != "" {
if [report_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}"
@@ -86,7 +86,7 @@ filter {
}
}
if [org_name] != "" {
if [org_name] {
mutate {
replace => {
"org_name_label.key" => "org_name"
@@ -98,7 +98,7 @@ filter {
}
}
if [org_email] != "" {
if [org_email] {
mutate {
replace => {
"org_email_label.key" => "org_email"
@@ -111,7 +111,7 @@ filter {
}
# -- timestamps --
if [begin_date] != "" {
if [begin_date] {
mutate {
replace => {
"begin_date_label.key" => "begin_date"
@@ -123,7 +123,7 @@ filter {
}
}
if [end_date] != "" {
if [end_date] {
mutate {
replace => {
"end_date_label.key" => "end_date"
@@ -136,7 +136,7 @@ filter {
}
# -- principal (source of emails) --
if [source_ip_address] != "" {
if [source_ip_address] {
mutate {
merge => {
"event.idm.read_only_udm.principal.ip" => "source_ip_address"
@@ -145,7 +145,7 @@ filter {
}
}
if [source_reverse_dns] != "" {
if [source_reverse_dns] {
mutate {
replace => {
"event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}"
@@ -153,7 +153,7 @@ filter {
}
}
if [source_country] != "" {
if [source_country] {
mutate {
replace => {
"event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}"
@@ -161,7 +161,7 @@ filter {
}
}
if [source_base_domain] != "" {
if [source_base_domain] {
mutate {
replace => {
"src_base_domain_label.key" => "source_base_domain"
@@ -173,7 +173,7 @@ filter {
}
}
if [source_name] != "" {
if [source_name] {
mutate {
replace => {
"src_name_label.key" => "source_name"
@@ -185,7 +185,7 @@ filter {
}
}
if [source_type] != "" {
if [source_type] {
mutate {
replace => {
"src_type_label.key" => "source_type"
@@ -198,7 +198,7 @@ filter {
}
# -- email fields --
if [header_from] != "" {
if [header_from] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.from" => "%{header_from}"
@@ -206,7 +206,7 @@ filter {
}
}
if [envelope_from] != "" {
if [envelope_from] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.mail_from" => "%{envelope_from}"
@@ -214,7 +214,7 @@ filter {
}
}
if [envelope_to] != "" {
if [envelope_to] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.to" => "%{envelope_to}"
@@ -224,7 +224,7 @@ filter {
}
# -- target (domain being reported on) --
if [domain] != "" {
if [domain] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{domain}"
@@ -233,7 +233,7 @@ filter {
}
# -- message count --
if [count] != "" {
if [count] {
mutate {
replace => {
"count_label.key" => "count"
@@ -288,14 +288,8 @@ filter {
on_error => "desc_error"
}
# DMARC aligned category
# DMARC aligned: passed authentication, not a policy violation
if [dmarc_aligned] == "True" or [dmarc_aligned] == "true" {
mutate {
replace => {
"security_result_dmarc.category" => "SOFTWARE_MALICIOUS"
}
}
# Override: Passed DMARC = no policy violation
mutate {
replace => {
"security_result_dmarc.category" => "NETWORK_CATEGORIZED_CONTENT"
@@ -311,7 +305,7 @@ filter {
}
# -- DMARC policy fields --
if [p] != "" {
if [p] {
mutate {
replace => {
"p_label.key" => "dmarc_policy"
@@ -323,7 +317,7 @@ filter {
}
}
if [sp] != "" {
if [sp] {
mutate {
replace => {
"sp_label.key" => "dmarc_sub_policy"
@@ -335,7 +329,7 @@ filter {
}
}
if [pct] != "" {
if [pct] {
mutate {
replace => {
"pct_label.key" => "dmarc_pct"
@@ -347,7 +341,7 @@ filter {
}
}
if [adkim] != "" {
if [adkim] {
mutate {
replace => {
"adkim_label.key" => "dkim_alignment_mode"
@@ -359,7 +353,7 @@ filter {
}
}
if [aspf] != "" {
if [aspf] {
mutate {
replace => {
"aspf_label.key" => "spf_alignment_mode"
@@ -372,7 +366,7 @@ filter {
}
# -- alignment detail fields --
if [dmarc_aligned] != "" {
if [dmarc_aligned] {
mutate {
replace => {
"dmarc_aligned_label.key" => "dmarc_aligned"
@@ -384,7 +378,7 @@ filter {
}
}
if [spf_aligned] != "" {
if [spf_aligned] {
mutate {
replace => {
"spf_aligned_label.key" => "spf_aligned"
@@ -396,7 +390,7 @@ filter {
}
}
if [dkim_aligned] != "" {
if [dkim_aligned] {
mutate {
replace => {
"dkim_aligned_label.key" => "dkim_aligned"
@@ -408,7 +402,7 @@ filter {
}
}
if [disposition] != "" {
if [disposition] {
mutate {
replace => {
"disposition_label.key" => "disposition"
@@ -421,7 +415,7 @@ filter {
}
# -- DKIM auth detail fields --
if [dkim_domains] != "" {
if [dkim_domains] {
mutate {
replace => {
"dkim_domains_label.key" => "dkim_domains"
@@ -433,7 +427,7 @@ filter {
}
}
if [dkim_selectors] != "" {
if [dkim_selectors] {
mutate {
replace => {
"dkim_selectors_label.key" => "dkim_selectors"
@@ -445,7 +439,7 @@ filter {
}
}
if [dkim_results] != "" {
if [dkim_results] {
mutate {
replace => {
"dkim_results_label.key" => "dkim_results"
@@ -458,7 +452,7 @@ filter {
}
# -- SPF auth detail fields --
if [spf_domains] != "" {
if [spf_domains] {
mutate {
replace => {
"spf_domains_label.key" => "spf_domains"
@@ -470,7 +464,7 @@ filter {
}
}
if [spf_scopes] != "" {
if [spf_scopes] {
mutate {
replace => {
"spf_scopes_label.key" => "spf_scopes"
@@ -482,7 +476,7 @@ filter {
}
}
if [spf_results] != "" {
if [spf_results] {
mutate {
replace => {
"spf_results_label.key" => "spf_results"
@@ -495,7 +489,7 @@ filter {
}
# -- policy override fields --
if [policy_override_reasons] != "" and [policy_override_reasons] != "none" {
if [policy_override_reasons] and [policy_override_reasons] != "none" {
mutate {
replace => {
"override_label.key" => "policy_override_reasons"
@@ -507,7 +501,7 @@ filter {
}
}
if [policy_override_comments] != "" and [policy_override_comments] != "none" {
if [policy_override_comments] and [policy_override_comments] != "none" {
mutate {
replace => {
"override_comments_label.key" => "policy_override_comments"
@@ -532,7 +526,7 @@ filter {
}
# -- metadata --
if [message_id] != "" {
if [message_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{message_id}"
@@ -541,7 +535,7 @@ filter {
}
# -- timestamps --
if [arrival_date_utc] != "" {
if [arrival_date_utc] {
date {
match => ["arrival_date_utc", "yyyy-MM-dd HH:mm:ss"]
on_error => "date_parse_error"
@@ -549,7 +543,7 @@ filter {
}
# -- principal (source of the email) --
if [source_ip_address] != "" {
if [source_ip_address] {
mutate {
merge => {
"event.idm.read_only_udm.principal.ip" => "source_ip_address"
@@ -558,7 +552,7 @@ filter {
}
}
if [source_reverse_dns] != "" {
if [source_reverse_dns] {
mutate {
replace => {
"event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}"
@@ -566,7 +560,7 @@ filter {
}
}
if [source_country] != "" {
if [source_country] {
mutate {
replace => {
"event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}"
@@ -574,7 +568,7 @@ filter {
}
}
if [source_base_domain] != "" {
if [source_base_domain] {
mutate {
replace => {
"fsrc_base_domain_label.key" => "source_base_domain"
@@ -586,7 +580,7 @@ filter {
}
}
if [source_name] != "" {
if [source_name] {
mutate {
replace => {
"fsrc_name_label.key" => "source_name"
@@ -598,7 +592,7 @@ filter {
}
}
if [source_type] != "" {
if [source_type] {
mutate {
replace => {
"fsrc_type_label.key" => "source_type"
@@ -611,7 +605,7 @@ filter {
}
# -- email fields --
if [original_mail_from] != "" {
if [original_mail_from] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.from" => "%{original_mail_from}"
@@ -619,7 +613,7 @@ filter {
}
}
if [original_rcpt_to] != "" {
if [original_rcpt_to] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.to" => "%{original_rcpt_to}"
@@ -628,7 +622,7 @@ filter {
}
}
if [subject] != "" {
if [subject] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.subject" => "%{subject}"
@@ -637,7 +631,7 @@ filter {
}
# -- target (reported domain) --
if [reported_domain] != "" {
if [reported_domain] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{reported_domain}"
@@ -652,7 +646,7 @@ filter {
}
}
if [auth_failure] != "" {
if [auth_failure] {
mutate {
replace => {
"security_result_forensic.description" => "auth_failure=%{auth_failure}"
@@ -660,7 +654,7 @@ filter {
}
}
if [delivery_result] != "" {
if [delivery_result] {
mutate {
replace => {
"delivery_result_label.key" => "delivery_result"
@@ -710,7 +704,7 @@ filter {
}
# -- additional forensic fields --
if [feedback_type] != "" {
if [feedback_type] {
mutate {
replace => {
"feedback_type_label.key" => "feedback_type"
@@ -722,7 +716,7 @@ filter {
}
}
if [user_agent] != "" {
if [user_agent] {
mutate {
replace => {
"user_agent_label.key" => "user_agent"
@@ -734,7 +728,7 @@ filter {
}
}
if [authentication_results] != "" {
if [authentication_results] {
mutate {
replace => {
"auth_results_label.key" => "authentication_results"
@@ -746,7 +740,7 @@ filter {
}
}
if [authentication_mechanisms] != "" {
if [authentication_mechanisms] {
mutate {
replace => {
"auth_mechanisms_label.key" => "authentication_mechanisms"
@@ -758,7 +752,7 @@ filter {
}
}
if [dkim_domain] != "" {
if [dkim_domain] {
mutate {
replace => {
"f_dkim_domain_label.key" => "dkim_domain"
@@ -770,7 +764,7 @@ filter {
}
}
if [auth_failure] != "" {
if [auth_failure] {
mutate {
replace => {
"auth_failure_label.key" => "auth_failure"
@@ -782,7 +776,7 @@ filter {
}
}
if [arrival_date] != "" {
if [arrival_date] {
mutate {
replace => {
"arrival_date_label.key" => "arrival_date"
@@ -807,7 +801,7 @@ filter {
}
# -- metadata --
if [report_id] != "" {
if [report_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}"
@@ -815,7 +809,7 @@ filter {
}
}
if [organization_name] != "" {
if [organization_name] {
mutate {
replace => {
"tls_org_label.key" => "organization_name"
@@ -828,7 +822,7 @@ filter {
}
# -- timestamps --
if [begin_date] != "" {
if [begin_date] {
mutate {
replace => {
"tls_begin_label.key" => "begin_date"
@@ -840,7 +834,7 @@ filter {
}
}
if [end_date] != "" {
if [end_date] {
mutate {
replace => {
"tls_end_label.key" => "end_date"
@@ -853,7 +847,7 @@ filter {
}
# -- principal (sending MTA) --
if [sending_mta_ip] != "" {
if [sending_mta_ip] {
mutate {
merge => {
"event.idm.read_only_udm.principal.ip" => "sending_mta_ip"
@@ -863,7 +857,7 @@ filter {
}
# -- target (receiving MTA) --
if [receiving_ip] != "" {
if [receiving_ip] {
mutate {
merge => {
"event.idm.read_only_udm.target.ip" => "receiving_ip"
@@ -872,7 +866,7 @@ filter {
}
}
if [receiving_mx_hostname] != "" {
if [receiving_mx_hostname] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{receiving_mx_hostname}"
@@ -881,7 +875,7 @@ filter {
}
# -- policy fields --
if [policy_domain] != "" {
if [policy_domain] {
mutate {
replace => {
"policy_domain_label.key" => "policy_domain"
@@ -893,7 +887,7 @@ filter {
}
}
if [policy_type] != "" {
if [policy_type] {
mutate {
replace => {
"policy_type_label.key" => "policy_type"
@@ -905,7 +899,7 @@ filter {
}
}
if [policy_strings] != "" {
if [policy_strings] {
mutate {
replace => {
"policy_strings_label.key" => "policy_strings"
@@ -917,7 +911,7 @@ filter {
}
}
if [mx_host_patterns] != "" {
if [mx_host_patterns] {
mutate {
replace => {
"mx_patterns_label.key" => "mx_host_patterns"
@@ -930,7 +924,7 @@ filter {
}
# -- session counts --
if [successful_session_count] != "" {
if [successful_session_count] {
mutate {
replace => {
"success_count_label.key" => "successful_session_count"
@@ -942,7 +936,7 @@ filter {
}
}
if [failed_session_count] != "" {
if [failed_session_count] {
mutate {
replace => {
"failed_count_label.key" => "failed_session_count"
@@ -955,7 +949,7 @@ filter {
}
# -- failure details --
if [result_type] != "" {
if [result_type] {
mutate {
replace => {
"result_type_label.key" => "result_type"
@@ -967,7 +961,7 @@ filter {
}
}
if [receiving_mx_helo] != "" {
if [receiving_mx_helo] {
mutate {
replace => {
"mx_helo_label.key" => "receiving_mx_helo"
@@ -979,7 +973,7 @@ filter {
}
}
if [additional_info_uri] != "" {
if [additional_info_uri] {
mutate {
replace => {
"info_uri_label.key" => "additional_info_uri"
@@ -991,7 +985,7 @@ filter {
}
}
if [failure_reason_code] != "" {
if [failure_reason_code] {
mutate {
replace => {
"failure_code_label.key" => "failure_reason_code"
@@ -1010,7 +1004,7 @@ filter {
}
}
if [result_type] != "" {
if [result_type] {
mutate {
replace => {
"security_result_tls.description" => "result_type=%{result_type}"
@@ -1037,7 +1031,7 @@ filter {
}
}
if [report_type] != "" {
if [report_type] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_event_type" => "%{report_type}"