diff --git a/google_secops_parser/parsedmarc.conf b/google_secops_parser/parsedmarc.conf index 4ef1a17..5e6e4e2 100644 --- a/google_secops_parser/parsedmarc.conf +++ b/google_secops_parser/parsedmarc.conf @@ -40,7 +40,7 @@ filter { # -------------------------------------------------------------------------- # Aggregate reports contain "header_from" and "dmarc_aligned" - if [header_from] != "" { + if [header_from] { mutate { replace => { "report_type" => "aggregate" @@ -49,7 +49,7 @@ filter { } # Forensic reports contain "feedback_type" - if [feedback_type] != "" { + if [feedback_type] { mutate { replace => { "report_type" => "forensic" @@ -58,7 +58,7 @@ filter { } # SMTP TLS reports contain "policy_type" - if [policy_type] != "" { + if [policy_type] { mutate { replace => { "report_type" => "smtp_tls" @@ -78,7 +78,7 @@ filter { } # -- metadata -- - if [report_id] != "" { + if [report_id] { mutate { replace => { "event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}" @@ -86,7 +86,7 @@ filter { } } - if [org_name] != "" { + if [org_name] { mutate { replace => { "org_name_label.key" => "org_name" @@ -98,7 +98,7 @@ filter { } } - if [org_email] != "" { + if [org_email] { mutate { replace => { "org_email_label.key" => "org_email" @@ -111,7 +111,7 @@ filter { } # -- timestamps -- - if [begin_date] != "" { + if [begin_date] { mutate { replace => { "begin_date_label.key" => "begin_date" @@ -123,7 +123,7 @@ filter { } } - if [end_date] != "" { + if [end_date] { mutate { replace => { "end_date_label.key" => "end_date" @@ -136,7 +136,7 @@ filter { } # -- principal (source of emails) -- - if [source_ip_address] != "" { + if [source_ip_address] { mutate { merge => { "event.idm.read_only_udm.principal.ip" => "source_ip_address" @@ -145,7 +145,7 @@ filter { } } - if [source_reverse_dns] != "" { + if [source_reverse_dns] { mutate { replace => { "event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}" @@ -153,7 +153,7 @@ filter { } } - if [source_country] != "" { + if [source_country] { mutate { replace => { "event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}" @@ -161,7 +161,7 @@ filter { } } - if [source_base_domain] != "" { + if [source_base_domain] { mutate { replace => { "src_base_domain_label.key" => "source_base_domain" @@ -173,7 +173,7 @@ filter { } } - if [source_name] != "" { + if [source_name] { mutate { replace => { "src_name_label.key" => "source_name" @@ -185,7 +185,7 @@ filter { } } - if [source_type] != "" { + if [source_type] { mutate { replace => { "src_type_label.key" => "source_type" @@ -198,7 +198,7 @@ filter { } # -- email fields -- - if [header_from] != "" { + if [header_from] { mutate { replace => { "event.idm.read_only_udm.network.email.from" => "%{header_from}" @@ -206,7 +206,7 @@ filter { } } - if [envelope_from] != "" { + if [envelope_from] { mutate { replace => { "event.idm.read_only_udm.network.email.mail_from" => "%{envelope_from}" @@ -214,7 +214,7 @@ filter { } } - if [envelope_to] != "" { + if [envelope_to] { mutate { replace => { "event.idm.read_only_udm.network.email.to" => "%{envelope_to}" @@ -224,7 +224,7 @@ filter { } # -- target (domain being reported on) -- - if [domain] != "" { + if [domain] { mutate { replace => { "event.idm.read_only_udm.target.hostname" => "%{domain}" @@ -233,7 +233,7 @@ filter { } # -- message count -- - if [count] != "" { + if [count] { mutate { replace => { "count_label.key" => "count" @@ -288,14 +288,8 @@ filter { on_error => "desc_error" } - # DMARC aligned category + # DMARC aligned: passed authentication, not a policy violation if [dmarc_aligned] == "True" or [dmarc_aligned] == "true" { - mutate { - replace => { - "security_result_dmarc.category" => "SOFTWARE_MALICIOUS" - } - } - # Override: Passed DMARC = no policy violation mutate { replace => { "security_result_dmarc.category" => "NETWORK_CATEGORIZED_CONTENT" @@ -311,7 +305,7 @@ filter { } # -- DMARC policy fields -- - if [p] != "" { + if [p] { mutate { replace => { "p_label.key" => "dmarc_policy" @@ -323,7 +317,7 @@ filter { } } - if [sp] != "" { + if [sp] { mutate { replace => { "sp_label.key" => "dmarc_sub_policy" @@ -335,7 +329,7 @@ filter { } } - if [pct] != "" { + if [pct] { mutate { replace => { "pct_label.key" => "dmarc_pct" @@ -347,7 +341,7 @@ filter { } } - if [adkim] != "" { + if [adkim] { mutate { replace => { "adkim_label.key" => "dkim_alignment_mode" @@ -359,7 +353,7 @@ filter { } } - if [aspf] != "" { + if [aspf] { mutate { replace => { "aspf_label.key" => "spf_alignment_mode" @@ -372,7 +366,7 @@ filter { } # -- alignment detail fields -- - if [dmarc_aligned] != "" { + if [dmarc_aligned] { mutate { replace => { "dmarc_aligned_label.key" => "dmarc_aligned" @@ -384,7 +378,7 @@ filter { } } - if [spf_aligned] != "" { + if [spf_aligned] { mutate { replace => { "spf_aligned_label.key" => "spf_aligned" @@ -396,7 +390,7 @@ filter { } } - if [dkim_aligned] != "" { + if [dkim_aligned] { mutate { replace => { "dkim_aligned_label.key" => "dkim_aligned" @@ -408,7 +402,7 @@ filter { } } - if [disposition] != "" { + if [disposition] { mutate { replace => { "disposition_label.key" => "disposition" @@ -421,7 +415,7 @@ filter { } # -- DKIM auth detail fields -- - if [dkim_domains] != "" { + if [dkim_domains] { mutate { replace => { "dkim_domains_label.key" => "dkim_domains" @@ -433,7 +427,7 @@ filter { } } - if [dkim_selectors] != "" { + if [dkim_selectors] { mutate { replace => { "dkim_selectors_label.key" => "dkim_selectors" @@ -445,7 +439,7 @@ filter { } } - if [dkim_results] != "" { + if [dkim_results] { mutate { replace => { "dkim_results_label.key" => "dkim_results" @@ -458,7 +452,7 @@ filter { } # -- SPF auth detail fields -- - if [spf_domains] != "" { + if [spf_domains] { mutate { replace => { "spf_domains_label.key" => "spf_domains" @@ -470,7 +464,7 @@ filter { } } - if [spf_scopes] != "" { + if [spf_scopes] { mutate { replace => { "spf_scopes_label.key" => "spf_scopes" @@ -482,7 +476,7 @@ filter { } } - if [spf_results] != "" { + if [spf_results] { mutate { replace => { "spf_results_label.key" => "spf_results" @@ -495,7 +489,7 @@ filter { } # -- policy override fields -- - if [policy_override_reasons] != "" and [policy_override_reasons] != "none" { + if [policy_override_reasons] and [policy_override_reasons] != "none" { mutate { replace => { "override_label.key" => "policy_override_reasons" @@ -507,7 +501,7 @@ filter { } } - if [policy_override_comments] != "" and [policy_override_comments] != "none" { + if [policy_override_comments] and [policy_override_comments] != "none" { mutate { replace => { "override_comments_label.key" => "policy_override_comments" @@ -532,7 +526,7 @@ filter { } # -- metadata -- - if [message_id] != "" { + if [message_id] { mutate { replace => { "event.idm.read_only_udm.metadata.product_log_id" => "%{message_id}" @@ -541,7 +535,7 @@ filter { } # -- timestamps -- - if [arrival_date_utc] != "" { + if [arrival_date_utc] { date { match => ["arrival_date_utc", "yyyy-MM-dd HH:mm:ss"] on_error => "date_parse_error" @@ -549,7 +543,7 @@ filter { } # -- principal (source of the email) -- - if [source_ip_address] != "" { + if [source_ip_address] { mutate { merge => { "event.idm.read_only_udm.principal.ip" => "source_ip_address" @@ -558,7 +552,7 @@ filter { } } - if [source_reverse_dns] != "" { + if [source_reverse_dns] { mutate { replace => { "event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}" @@ -566,7 +560,7 @@ filter { } } - if [source_country] != "" { + if [source_country] { mutate { replace => { "event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}" @@ -574,7 +568,7 @@ filter { } } - if [source_base_domain] != "" { + if [source_base_domain] { mutate { replace => { "fsrc_base_domain_label.key" => "source_base_domain" @@ -586,7 +580,7 @@ filter { } } - if [source_name] != "" { + if [source_name] { mutate { replace => { "fsrc_name_label.key" => "source_name" @@ -598,7 +592,7 @@ filter { } } - if [source_type] != "" { + if [source_type] { mutate { replace => { "fsrc_type_label.key" => "source_type" @@ -611,7 +605,7 @@ filter { } # -- email fields -- - if [original_mail_from] != "" { + if [original_mail_from] { mutate { replace => { "event.idm.read_only_udm.network.email.from" => "%{original_mail_from}" @@ -619,7 +613,7 @@ filter { } } - if [original_rcpt_to] != "" { + if [original_rcpt_to] { mutate { replace => { "event.idm.read_only_udm.network.email.to" => "%{original_rcpt_to}" @@ -628,7 +622,7 @@ filter { } } - if [subject] != "" { + if [subject] { mutate { replace => { "event.idm.read_only_udm.network.email.subject" => "%{subject}" @@ -637,7 +631,7 @@ filter { } # -- target (reported domain) -- - if [reported_domain] != "" { + if [reported_domain] { mutate { replace => { "event.idm.read_only_udm.target.hostname" => "%{reported_domain}" @@ -652,7 +646,7 @@ filter { } } - if [auth_failure] != "" { + if [auth_failure] { mutate { replace => { "security_result_forensic.description" => "auth_failure=%{auth_failure}" @@ -660,7 +654,7 @@ filter { } } - if [delivery_result] != "" { + if [delivery_result] { mutate { replace => { "delivery_result_label.key" => "delivery_result" @@ -710,7 +704,7 @@ filter { } # -- additional forensic fields -- - if [feedback_type] != "" { + if [feedback_type] { mutate { replace => { "feedback_type_label.key" => "feedback_type" @@ -722,7 +716,7 @@ filter { } } - if [user_agent] != "" { + if [user_agent] { mutate { replace => { "user_agent_label.key" => "user_agent" @@ -734,7 +728,7 @@ filter { } } - if [authentication_results] != "" { + if [authentication_results] { mutate { replace => { "auth_results_label.key" => "authentication_results" @@ -746,7 +740,7 @@ filter { } } - if [authentication_mechanisms] != "" { + if [authentication_mechanisms] { mutate { replace => { "auth_mechanisms_label.key" => "authentication_mechanisms" @@ -758,7 +752,7 @@ filter { } } - if [dkim_domain] != "" { + if [dkim_domain] { mutate { replace => { "f_dkim_domain_label.key" => "dkim_domain" @@ -770,7 +764,7 @@ filter { } } - if [auth_failure] != "" { + if [auth_failure] { mutate { replace => { "auth_failure_label.key" => "auth_failure" @@ -782,7 +776,7 @@ filter { } } - if [arrival_date] != "" { + if [arrival_date] { mutate { replace => { "arrival_date_label.key" => "arrival_date" @@ -807,7 +801,7 @@ filter { } # -- metadata -- - if [report_id] != "" { + if [report_id] { mutate { replace => { "event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}" @@ -815,7 +809,7 @@ filter { } } - if [organization_name] != "" { + if [organization_name] { mutate { replace => { "tls_org_label.key" => "organization_name" @@ -828,7 +822,7 @@ filter { } # -- timestamps -- - if [begin_date] != "" { + if [begin_date] { mutate { replace => { "tls_begin_label.key" => "begin_date" @@ -840,7 +834,7 @@ filter { } } - if [end_date] != "" { + if [end_date] { mutate { replace => { "tls_end_label.key" => "end_date" @@ -853,7 +847,7 @@ filter { } # -- principal (sending MTA) -- - if [sending_mta_ip] != "" { + if [sending_mta_ip] { mutate { merge => { "event.idm.read_only_udm.principal.ip" => "sending_mta_ip" @@ -863,7 +857,7 @@ filter { } # -- target (receiving MTA) -- - if [receiving_ip] != "" { + if [receiving_ip] { mutate { merge => { "event.idm.read_only_udm.target.ip" => "receiving_ip" @@ -872,7 +866,7 @@ filter { } } - if [receiving_mx_hostname] != "" { + if [receiving_mx_hostname] { mutate { replace => { "event.idm.read_only_udm.target.hostname" => "%{receiving_mx_hostname}" @@ -881,7 +875,7 @@ filter { } # -- policy fields -- - if [policy_domain] != "" { + if [policy_domain] { mutate { replace => { "policy_domain_label.key" => "policy_domain" @@ -893,7 +887,7 @@ filter { } } - if [policy_type] != "" { + if [policy_type] { mutate { replace => { "policy_type_label.key" => "policy_type" @@ -905,7 +899,7 @@ filter { } } - if [policy_strings] != "" { + if [policy_strings] { mutate { replace => { "policy_strings_label.key" => "policy_strings" @@ -917,7 +911,7 @@ filter { } } - if [mx_host_patterns] != "" { + if [mx_host_patterns] { mutate { replace => { "mx_patterns_label.key" => "mx_host_patterns" @@ -930,7 +924,7 @@ filter { } # -- session counts -- - if [successful_session_count] != "" { + if [successful_session_count] { mutate { replace => { "success_count_label.key" => "successful_session_count" @@ -942,7 +936,7 @@ filter { } } - if [failed_session_count] != "" { + if [failed_session_count] { mutate { replace => { "failed_count_label.key" => "failed_session_count" @@ -955,7 +949,7 @@ filter { } # -- failure details -- - if [result_type] != "" { + if [result_type] { mutate { replace => { "result_type_label.key" => "result_type" @@ -967,7 +961,7 @@ filter { } } - if [receiving_mx_helo] != "" { + if [receiving_mx_helo] { mutate { replace => { "mx_helo_label.key" => "receiving_mx_helo" @@ -979,7 +973,7 @@ filter { } } - if [additional_info_uri] != "" { + if [additional_info_uri] { mutate { replace => { "info_uri_label.key" => "additional_info_uri" @@ -991,7 +985,7 @@ filter { } } - if [failure_reason_code] != "" { + if [failure_reason_code] { mutate { replace => { "failure_code_label.key" => "failure_reason_code" @@ -1010,7 +1004,7 @@ filter { } } - if [result_type] != "" { + if [result_type] { mutate { replace => { "security_result_tls.description" => "result_type=%{result_type}" @@ -1037,7 +1031,7 @@ filter { } } - if [report_type] != "" { + if [report_type] { mutate { replace => { "event.idm.read_only_udm.metadata.product_event_type" => "%{report_type}"