amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-06-06 18:59:45 +00:00
Code Issues Projects Releases Wiki Activity
Files
ca274287130cf306f3f112dc83c98de799dd2b3f
parsedmarc/google_secops_parser/parsedmarc.conf
T
Sean Whalen ca27428713 Add Google SecOps (Chronicle) UDM parser for syslog output 
A SecOps-side custom parser (CBN) that maps parsedmarc's [syslog] JSON
events to the Unified Data Model. No library changes: parsedmarc already
emits structured JSON, so the DMARC->UDM mapping lives in the parser and a
downstream UDM schema change is a parser edit, not a parsedmarc release.

Covers all three report types:
- aggregate -> EMAIL_TRANSACTION
- failure   -> EMAIL_TRANSACTION
- smtp_tls  -> GENERIC_EVENT (noun from policy_domain, present on every row)

Built strictly against the official UDM and parser-syntax docs (cited
inline). Sets metadata.event_timestamp from the report window via date{},
maps disposition / auth-failure to security_result with valid action and
category enums (AUTH_VIOLATION on DMARC fail), uses real network.email
field names, and strips syslog framing before JSON parsing. Ships real
sample events generated from the project's sample reports for validation.

Not yet validated against a live SecOps tenant; caveats are documented in
the README.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 09:24:20 -04:00

774 lines
28 KiB
Plaintext
Raw Blame History

filter {
# ===========================================================================
# parsedmarc -> Google Security Operations (Chronicle) UDM parser
#
# Consumes the single-line JSON events that parsedmarc emits through its
# built-in [syslog] output and maps them to the Unified Data Model (UDM).
# No changes to parsedmarc are required: this is a SecOps-side custom parser
# (configuration-based normalizer / CBN).
#
# parsedmarc emits three flat JSON shapes, one object per syslog line, via the
# CSV-row serializers (parsed_aggregate/failure/smtp_tls_reports_to_csv_rows):
# * DMARC aggregate report record -> detected by "adkim"
# * DMARC failure report record -> detected by "feedback_type"
# * SMTP TLS report record -> detected by "policy_type"
#
# ---------------------------------------------------------------------------
# UDM facts this parser relies on (all from official Google documentation):
#
# * Output object & finalize: build fields under
# event.idm.read_only_udm.* and emit with
# mutate { merge => { "@output" => "event" } }
# https://cloud.google.com/chronicle/docs/event-processing/parser-syntax
# * Every event MUST set metadata.event_type (predefined enum) and
# metadata.event_timestamp; parsing fails if a required field is missing.
# A date{} filter with no target sets metadata.event_timestamp; if no
# date{} runs, event_timestamp defaults to ingest time.
# https://cloud.google.com/chronicle/docs/event-processing/parsing-overview
# * Every event MUST contain at least one noun
# (principal/target/src/intermediary/observer). principal must carry a
# machine or user detail and must NOT carry email.
# https://cloud.google.com/chronicle/docs/event-processing/udm-overview
# * EMAIL_TRANSACTION and GENERIC_EVENT are valid metadata.event_type values.
# GENERIC_EVENT only surfaces in raw-log / UDM search, not curated views.
# https://cloud.google.com/chronicle/docs/investigation/udm-search
# * security_result.action enum: UNKNOWN_ACTION, ALLOW, BLOCK,
# ALLOW_WITH_MODIFICATION, QUARANTINE, FAIL, CHALLENGE.
# security_result.category enum includes AUTH_VIOLATION
# ("Authentication failed"), POLICY_VIOLATION, MAIL_SPOOFING. There is no
# "passed" category, so we set a category only on failures.
# https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/SecurityResult
# * network.email fields: from, reply_to, to, cc, bcc, mail_id, subject.
# (There is no network.email.mail_from.)
# https://cloud.google.com/chronicle/docs/reference/udm-field-list
#
# ---------------------------------------------------------------------------
# Caveats (read before trusting output):
#
# 1. UNVALIDATED. This parser was written to the docs above but has not been
# run through the SecOps parser-validation tool against a live tenant.
# Validate with the sample events in README.md before production use.
# 2. BOOLEAN COERCION. parsedmarc emits *_aligned / testing /
# normalized_timespan / sample_headers_only as JSON booleans. This parser
# assumes the json{} filter exposes them as the strings "true"/"false"
# (the CBN convention) and compares them as such. Confirm in the
# validation tool that DMARC-fail records (dmarc_aligned=false) receive
# security_result.category = AUTH_VIOLATION.
# 3. AGGREGATE COUNT. A DMARC aggregate record summarizes "count" messages
# from one source IP, not a single message. Each becomes one
# EMAIL_TRANSACTION with "count" carried in additional.fields; there is no
# first-class per-message expansion (fanning out would be wrong).
# 4. ADDRESS FORMAT. Aggregate header_from is a bare domain (DMARC only
# reports the From domain). It is still mapped to network.email.from as
# the best-available sender identity; downstream consumers should expect a
# domain there for aggregate events, an address for failure events.
# ===========================================================================
# ---------------------------------------------------------------------------
# 1. Extract the JSON object from the (possibly syslog-framed) raw line.
# Python's SysLogHandler prepends a "<PRI>" priority (and a forwarder may
# add a timestamp/host/tag), so the JSON is not necessarily at column 0.
# Grab everything from the first "{" to the last "}".
# ---------------------------------------------------------------------------
mutate {
replace => {
"report_type" => ""
"event_type" => ""
}
}
grok {
match => {
"message" => ["^.*?(?P<payload>\\{.*\\})\\s*$"]
}
on_error => "no_json_payload"
}
if [no_json_payload] {
drop {}
}
json {
source => "payload"
on_error => "not_json"
}
if [not_json] {
drop {}
}
# ---------------------------------------------------------------------------
# 2. Detect the report type from a field unique to each shape.
# feedback_type / policy_type / adkim are always present and non-empty for
# their respective report types, so existence checks are reliable.
# ---------------------------------------------------------------------------
if [feedback_type] {
mutate { replace => { "report_type" => "failure" } }
} else if [policy_type] {
mutate { replace => { "report_type" => "smtp_tls" } }
} else if [adkim] {
mutate { replace => { "report_type" => "aggregate" } }
}
# Not a parsedmarc record we recognize: drop rather than emit an invalid event.
if [report_type] == "" {
drop {}
}
# ===========================================================================
# DMARC AGGREGATE -> EMAIL_TRANSACTION
# ===========================================================================
if [report_type] == "aggregate" {
mutate { replace => { "event_type" => "EMAIL_TRANSACTION" } }
if [report_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}"
}
}
}
# -- event timestamp: start of the record's reporting interval (UTC). --
if [begin_date] {
date {
match => ["begin_date", "yyyy-MM-dd HH:mm:ss"]
timezone => "UTC"
on_error => "agg_date_error"
}
}
# -- principal: the sending source (machine details only). --
if [source_ip_address] {
mutate {
merge => { "event.idm.read_only_udm.principal.ip" => "source_ip_address" }
on_error => "agg_src_ip_error"
}
}
if [source_reverse_dns] {
mutate {
replace => {
"event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}"
}
}
}
if [source_country] {
mutate {
replace => {
"event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}"
}
}
}
# -- target: the domain the report is about. --
if [domain] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{domain}"
}
}
}
# -- email: aggregate only carries the From domain (see caveat 4). --
if [header_from] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.from" => "%{header_from}"
}
}
}
# -- security_result: disposition -> action; failed alignment -> category. --
mutate { replace => { "sr.summary" => "DMARC aggregate report" } }
if [disposition] == "reject" {
mutate { replace => { "sr.action" => "BLOCK" } }
} else if [disposition] == "quarantine" {
mutate { replace => { "sr.action" => "QUARANTINE" } }
} else if [disposition] == "none" {
mutate { replace => { "sr.action" => "ALLOW" } }
} else {
mutate { replace => { "sr.action" => "UNKNOWN_ACTION" } }
}
# DMARC failed authentication alignment -> AUTH_VIOLATION (see caveat 2).
if [dmarc_aligned] == "false" {
mutate { replace => { "sr.category" => "AUTH_VIOLATION" } }
}
mutate {
replace => {
"sr.description" => "dmarc_aligned=%{dmarc_aligned} spf_aligned=%{spf_aligned} dkim_aligned=%{dkim_aligned} disposition=%{disposition}"
}
on_error => "agg_sr_desc_error"
}
mutate {
merge => { "event.idm.read_only_udm.security_result" => "sr" }
}
# -- additional.fields: DMARC dimensions a dashboard would filter on. --
if [org_name] {
mutate {
replace => { "f_org_name.key" => "org_name" "f_org_name.value.string_value" => "%{org_name}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_org_name" }
}
}
if [org_email] {
mutate {
replace => { "f_org_email.key" => "org_email" "f_org_email.value.string_value" => "%{org_email}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_org_email" }
}
}
if [begin_date] {
mutate {
replace => { "f_begin.key" => "begin_date" "f_begin.value.string_value" => "%{begin_date}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_begin" }
}
}
if [end_date] {
mutate {
replace => { "f_end.key" => "end_date" "f_end.value.string_value" => "%{end_date}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_end" }
}
}
if [count] {
mutate {
replace => { "f_count.key" => "count" "f_count.value.string_value" => "%{count}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_count" }
}
}
if [p] {
mutate {
replace => { "f_p.key" => "dmarc_policy" "f_p.value.string_value" => "%{p}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_p" }
}
}
if [sp] {
mutate {
replace => { "f_sp.key" => "dmarc_subdomain_policy" "f_sp.value.string_value" => "%{sp}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_sp" }
}
}
if [np] {
mutate {
replace => { "f_np.key" => "dmarc_np_policy" "f_np.value.string_value" => "%{np}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_np" }
}
}
if [pct] {
mutate {
replace => { "f_pct.key" => "dmarc_pct" "f_pct.value.string_value" => "%{pct}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_pct" }
}
}
if [fo] {
mutate {
replace => { "f_fo.key" => "dmarc_fo" "f_fo.value.string_value" => "%{fo}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_fo" }
}
}
if [adkim] {
mutate {
replace => { "f_adkim.key" => "dkim_alignment_mode" "f_adkim.value.string_value" => "%{adkim}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_adkim" }
}
}
if [aspf] {
mutate {
replace => { "f_aspf.key" => "spf_alignment_mode" "f_aspf.value.string_value" => "%{aspf}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_aspf" }
}
}
if [testing] == "true" or [testing] == "false" {
mutate {
replace => { "f_testing.key" => "dmarc_testing" "f_testing.value.string_value" => "%{testing}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_testing" }
}
}
if [discovery_method] {
mutate {
replace => { "f_disc.key" => "discovery_method" "f_disc.value.string_value" => "%{discovery_method}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_disc" }
}
}
if [normalized_timespan] == "true" or [normalized_timespan] == "false" {
mutate {
replace => { "f_norm.key" => "normalized_timespan" "f_norm.value.string_value" => "%{normalized_timespan}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_norm" }
}
}
# Alignment outcomes (security-relevant; emit for both true and false).
if [dmarc_aligned] == "true" or [dmarc_aligned] == "false" {
mutate {
replace => { "f_dmarc.key" => "dmarc_aligned" "f_dmarc.value.string_value" => "%{dmarc_aligned}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_dmarc" }
}
}
if [spf_aligned] == "true" or [spf_aligned] == "false" {
mutate {
replace => { "f_spfa.key" => "spf_aligned" "f_spfa.value.string_value" => "%{spf_aligned}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_spfa" }
}
}
if [dkim_aligned] == "true" or [dkim_aligned] == "false" {
mutate {
replace => { "f_dkima.key" => "dkim_aligned" "f_dkima.value.string_value" => "%{dkim_aligned}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_dkima" }
}
}
if [disposition] {
mutate {
replace => { "f_disp.key" => "disposition" "f_disp.value.string_value" => "%{disposition}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_disp" }
}
}
# DKIM / SPF auth detail (comma-joined by parsedmarc).
if [dkim_domains] {
mutate {
replace => { "f_dkd.key" => "dkim_domains" "f_dkd.value.string_value" => "%{dkim_domains}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_dkd" }
}
}
if [dkim_selectors] {
mutate {
replace => { "f_dks.key" => "dkim_selectors" "f_dks.value.string_value" => "%{dkim_selectors}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_dks" }
}
}
if [dkim_results] {
mutate {
replace => { "f_dkr.key" => "dkim_results" "f_dkr.value.string_value" => "%{dkim_results}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_dkr" }
}
}
if [spf_domains] {
mutate {
replace => { "f_spd.key" => "spf_domains" "f_spd.value.string_value" => "%{spf_domains}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_spd" }
}
}
if [spf_scopes] {
mutate {
replace => { "f_sps.key" => "spf_scopes" "f_sps.value.string_value" => "%{spf_scopes}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_sps" }
}
}
if [spf_results] {
mutate {
replace => { "f_spr.key" => "spf_results" "f_spr.value.string_value" => "%{spf_results}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_spr" }
}
}
# Policy overrides (parsedmarc writes the literal "none" when there are none).
if [policy_override_reasons] and [policy_override_reasons] != "none" {
mutate {
replace => { "f_por.key" => "policy_override_reasons" "f_por.value.string_value" => "%{policy_override_reasons}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_por" }
}
}
if [policy_override_comments] and [policy_override_comments] != "none" {
mutate {
replace => { "f_poc.key" => "policy_override_comments" "f_poc.value.string_value" => "%{policy_override_comments}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_poc" }
}
}
# Source enrichment from parsedmarc's reverse-DNS / MMDB maps.
if [source_base_domain] {
mutate {
replace => { "f_sbd.key" => "source_base_domain" "f_sbd.value.string_value" => "%{source_base_domain}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_sbd" }
}
}
if [source_name] {
mutate {
replace => { "f_sn.key" => "source_name" "f_sn.value.string_value" => "%{source_name}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_sn" }
}
}
if [source_type] {
mutate {
replace => { "f_st.key" => "source_type" "f_st.value.string_value" => "%{source_type}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_st" }
}
}
if [source_asn] {
mutate {
replace => { "f_asn.key" => "source_asn" "f_asn.value.string_value" => "%{source_asn}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_asn" }
}
}
if [source_as_name] {
mutate {
replace => { "f_asnm.key" => "source_as_name" "f_asnm.value.string_value" => "%{source_as_name}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_asnm" }
}
}
if [source_as_domain] {
mutate {
replace => { "f_asd.key" => "source_as_domain" "f_asd.value.string_value" => "%{source_as_domain}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_asd" }
}
}
# Envelope identifiers (usually empty in aggregate reports).
if [envelope_from] {
mutate {
replace => { "f_ef.key" => "envelope_from" "f_ef.value.string_value" => "%{envelope_from}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_ef" }
}
}
if [envelope_to] {
mutate {
replace => { "f_et.key" => "envelope_to" "f_et.value.string_value" => "%{envelope_to}" }
merge => { "event.idm.read_only_udm.additional.fields" => "f_et" }
}
}
}
# ===========================================================================
# DMARC FAILURE -> EMAIL_TRANSACTION
# ===========================================================================
if [report_type] == "failure" {
mutate { replace => { "event_type" => "EMAIL_TRANSACTION" } }
if [message_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{message_id}"
}
}
}
# -- event timestamp: message arrival time (UTC). --
if [arrival_date_utc] {
date {
match => ["arrival_date_utc", "yyyy-MM-dd HH:mm:ss"]
timezone => "UTC"
on_error => "fail_date_error"
}
}
# -- principal: the sending source. --
if [source_ip_address] {
mutate {
merge => { "event.idm.read_only_udm.principal.ip" => "source_ip_address" }
on_error => "fail_src_ip_error"
}
}
if [source_reverse_dns] {
mutate {
replace => {
"event.idm.read_only_udm.principal.hostname" => "%{source_reverse_dns}"
}
}
}
if [source_country] {
mutate {
replace => {
"event.idm.read_only_udm.principal.location.country_or_region" => "%{source_country}"
}
}
}
# -- target: the reported (claimed) domain. --
if [reported_domain] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{reported_domain}"
}
}
}
# -- email: failure reports carry full addresses + subject. --
if [original_mail_from] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.from" => "%{original_mail_from}"
}
}
}
if [original_rcpt_to] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.to" => "%{original_rcpt_to}"
}
on_error => "fail_rcpt_error"
}
}
if [subject] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.subject" => "%{subject}"
}
}
}
if [message_id] {
mutate {
replace => {
"event.idm.read_only_udm.network.email.mail_id" => "%{message_id}"
}
}
}
# -- security_result: a failure report is an authentication failure. --
mutate {
replace => {
"srf.summary" => "DMARC failure report"
"srf.category" => "AUTH_VIOLATION"
}
}
if [delivery_result] == "reject" {
mutate { replace => { "srf.action" => "BLOCK" } }
} else if [delivery_result] == "quarantine" {
mutate { replace => { "srf.action" => "QUARANTINE" } }
} else if [delivery_result] == "delivered" {
mutate { replace => { "srf.action" => "ALLOW" } }
} else {
mutate { replace => { "srf.action" => "UNKNOWN_ACTION" } }
}
if [auth_failure] {
mutate {
replace => {
"srf.description" => "auth_failure=%{auth_failure} delivery_result=%{delivery_result}"
}
on_error => "fail_sr_desc_error"
}
}
mutate {
merge => { "event.idm.read_only_udm.security_result" => "srf" }
}
# -- additional.fields. --
if [feedback_type] {
mutate {
replace => { "g_fb.key" => "feedback_type" "g_fb.value.string_value" => "%{feedback_type}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_fb" }
}
}
if [auth_failure] {
mutate {
replace => { "g_af.key" => "auth_failure" "g_af.value.string_value" => "%{auth_failure}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_af" }
}
}
if [delivery_result] {
mutate {
replace => { "g_dr.key" => "delivery_result" "g_dr.value.string_value" => "%{delivery_result}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_dr" }
}
}
if [authentication_results] {
mutate {
replace => { "g_ar.key" => "authentication_results" "g_ar.value.string_value" => "%{authentication_results}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_ar" }
}
}
if [authentication_mechanisms] {
mutate {
replace => { "g_am.key" => "authentication_mechanisms" "g_am.value.string_value" => "%{authentication_mechanisms}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_am" }
}
}
if [user_agent] {
mutate {
replace => { "g_ua.key" => "user_agent" "g_ua.value.string_value" => "%{user_agent}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_ua" }
}
}
if [dkim_domain] {
mutate {
replace => { "g_dd.key" => "dkim_domain" "g_dd.value.string_value" => "%{dkim_domain}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_dd" }
}
}
if [arrival_date] {
mutate {
replace => { "g_ad.key" => "arrival_date" "g_ad.value.string_value" => "%{arrival_date}" }
merge => { "event.idm.read_only_udm.additional.fields" => "g_ad" }
}
}
}
# ===========================================================================
# SMTP TLS -> GENERIC_EVENT
# No per-message semantics; modeled as a generic event whose noun is the
# reported policy domain (target.hostname), which is always present. Per the
# docs, GENERIC_EVENT only appears in raw-log / UDM search, not curated views.
# ===========================================================================
if [report_type] == "smtp_tls" {
mutate { replace => { "event_type" => "GENERIC_EVENT" } }
if [report_id] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_log_id" => "%{report_id}"
}
}
}
# -- event timestamp: start of the report window. SMTP TLS uses ISO 8601
# with a trailing Z (e.g. 2025-12-07T19:00:00Z), unlike the other types. --
if [begin_date] {
date {
match => ["begin_date", "yyyy-MM-dd'T'HH:mm:ss'Z'"]
timezone => "UTC"
on_error => "tls_date_error"
}
}
# -- target: the reported policy domain (always present -> the noun). --
if [policy_domain] {
mutate {
replace => {
"event.idm.read_only_udm.target.hostname" => "%{policy_domain}"
}
}
}
# receiving MTA IP, when a per-session failure row carries it.
if [receiving_ip] {
mutate {
merge => { "event.idm.read_only_udm.target.ip" => "receiving_ip" }
on_error => "tls_rcv_ip_error"
}
}
# sending MTA IP, when present, is the principal.
if [sending_mta_ip] {
mutate {
merge => { "event.idm.read_only_udm.principal.ip" => "sending_mta_ip" }
on_error => "tls_snd_ip_error"
}
}
# -- security_result only on failures (result_type present). --
if [result_type] {
mutate {
replace => {
"srt.summary" => "SMTP TLS report failure"
"srt.category" => "POLICY_VIOLATION"
"srt.action" => "FAIL"
"srt.description" => "result_type=%{result_type}"
}
on_error => "tls_sr_error"
}
mutate {
merge => { "event.idm.read_only_udm.security_result" => "srt" }
}
}
# -- additional.fields. --
if [organization_name] {
mutate {
replace => { "t_org.key" => "organization_name" "t_org.value.string_value" => "%{organization_name}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_org" }
}
}
if [begin_date] {
mutate {
replace => { "t_begin.key" => "begin_date" "t_begin.value.string_value" => "%{begin_date}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_begin" }
}
}
if [end_date] {
mutate {
replace => { "t_end.key" => "end_date" "t_end.value.string_value" => "%{end_date}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_end" }
}
}
if [policy_domain] {
mutate {
replace => { "t_pd.key" => "policy_domain" "t_pd.value.string_value" => "%{policy_domain}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_pd" }
}
}
if [policy_type] {
mutate {
replace => { "t_pt.key" => "policy_type" "t_pt.value.string_value" => "%{policy_type}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_pt" }
}
}
if [policy_strings] {
mutate {
replace => { "t_ps.key" => "policy_strings" "t_ps.value.string_value" => "%{policy_strings}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_ps" }
}
}
if [mx_host_patterns] {
mutate {
replace => { "t_mx.key" => "mx_host_patterns" "t_mx.value.string_value" => "%{mx_host_patterns}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_mx" }
}
}
if [successful_session_count] {
mutate {
replace => { "t_ssc.key" => "successful_session_count" "t_ssc.value.string_value" => "%{successful_session_count}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_ssc" }
}
}
if [failed_session_count] {
mutate {
replace => { "t_fsc.key" => "failed_session_count" "t_fsc.value.string_value" => "%{failed_session_count}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_fsc" }
}
}
if [result_type] {
mutate {
replace => { "t_rt.key" => "result_type" "t_rt.value.string_value" => "%{result_type}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_rt" }
}
}
if [failure_reason_code] {
mutate {
replace => { "t_frc.key" => "failure_reason_code" "t_frc.value.string_value" => "%{failure_reason_code}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_frc" }
}
}
if [receiving_mx_hostname] {
mutate {
replace => { "t_rmh.key" => "receiving_mx_hostname" "t_rmh.value.string_value" => "%{receiving_mx_hostname}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_rmh" }
}
}
if [receiving_mx_helo] {
mutate {
replace => { "t_rmhelo.key" => "receiving_mx_helo" "t_rmhelo.value.string_value" => "%{receiving_mx_helo}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_rmhelo" }
}
}
if [additional_info_uri] {
mutate {
replace => { "t_aiu.key" => "additional_info_uri" "t_aiu.value.string_value" => "%{additional_info_uri}" }
merge => { "event.idm.read_only_udm.additional.fields" => "t_aiu" }
}
}
}
# ===========================================================================
# 3. Common metadata + finalize.
# ===========================================================================
mutate {
replace => {
"event.idm.read_only_udm.metadata.event_type" => "%{event_type}"
"event.idm.read_only_udm.metadata.vendor_name" => "parsedmarc"
"event.idm.read_only_udm.metadata.product_name" => "parsedmarc"
}
}
if [report_type] {
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_event_type" => "%{report_type}"
}
}
}
mutate {
merge => { "@output" => "event" }
}
}
Reference in New Issue View Git Blame Copy Permalink