A SecOps-side custom parser (CBN) that maps parsedmarc's [syslog] JSON
events to the Unified Data Model. No library changes: parsedmarc already
emits structured JSON, so the DMARC->UDM mapping lives in the parser and a
downstream UDM schema change is a parser edit, not a parsedmarc release.
Covers all three report types:
- aggregate -> EMAIL_TRANSACTION
- failure -> EMAIL_TRANSACTION
- smtp_tls -> GENERIC_EVENT (noun from policy_domain, present on every row)
Built strictly against the official UDM and parser-syntax docs (cited
inline). Sets metadata.event_timestamp from the report window via date{},
maps disposition / auth-failure to security_result with valid action and
category enums (AUTH_VIOLATION on DMARC fail), uses real network.email
field names, and strips syslog framing before JSON parsing. Ships real
sample events generated from the project's sample reports for validation.
Not yet validated against a live SecOps tenant; caveats are documented in
the README.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sean Whalen