From e6e9369b1d1882c9ff93178e40dff9e4fe1f84b4 Mon Sep 17 00:00:00 2001
From: Sean Whalen <44679+seanthegeek@users.noreply.github.com>
Date: Thu, 4 Jun 2026 12:15:05 -0400
Subject: [PATCH] Tag drop{} statements per content-hub convention

Google's content-hub parsers tag dropped logs (drop { tag => "TAG_..." })
so they surface correctly in the unparsed-log views, rather than bare drop{}.
Use TAG_MALFORMED_ENCODING for the two JSON-extraction/parse failures (matches
content-hub) and TAG_UNSUPPORTED for valid JSON that matches no parsedmarc
report shape.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 google_secops_parser/parsedmarc.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/google_secops_parser/parsedmarc.conf b/google_secops_parser/parsedmarc.conf
index ca5c13b..74624f7 100644
--- a/google_secops_parser/parsedmarc.conf
+++ b/google_secops_parser/parsedmarc.conf
@@ -177,7 +177,7 @@ filter {
     on_error => "no_json_payload"
   }
   if [no_json_payload] {
-    drop {}
+    drop { tag => "TAG_MALFORMED_ENCODING" }
   }
 
   json {
@@ -185,7 +185,7 @@ filter {
     on_error => "not_json"
   }
   if [not_json] {
-    drop {}
+    drop { tag => "TAG_MALFORMED_ENCODING" }
   }
 
   # ---------------------------------------------------------------------------
@@ -232,7 +232,7 @@ filter {
 
   # Not a parsedmarc record we recognize: drop rather than emit an invalid event.
   if [report_type] == "" {
-    drop {}
+    drop { tag => "TAG_UNSUPPORTED" }
   }
 
   # ===========================================================================