[Mimecast] Mapping and illegal value issues mapping

[oliver-creed]

https://github.com/elastic/integrations/blob/f4cf25363df4f9f56cc55387ba7a17a633cb56f9/packages/mimecast/data_stream/siem_logs/fields/field.yml#L14 looks like this field should be an object.

Filebeat logs: {"type":"mapper_parsing_exception","reason":"failed to parse field [mimecast.SpamProcessingDetail] of type [keyword] in document with id 'fQJcXYUBhpIjhj4DILrT'. Preview of field's value: '{spf={allow=true, info=allow}}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:1563"}}, dropping event!

Documentation reference: https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/#:~:text=SpamProcessingDetail%3D%7B%22spf%22%3A%7B%22info%22%3A%22SPF_FAIL%22%2C%22allow%22%3Atrue%7D%2C%22dkim%22%3A%7B%22info%22%3A%22DKIM_UNKNOWN%22%2C%22allow%22%3Atrue%7D%7D

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[oliver-creed]

found another one failed to parse field [mimecast.credentialTheft] of type [keyword] in document with id 'doc_id'. Preview of field's value: '{CredentialTheftEvidence=[The website uses a valid certificate], CredentialTheftTags=[REDIRECTION, REMOTE_JAVASCRIPT, REMOTE_RESOURCES, VALID_CERTIFICATE]}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:1573"}}, dropping event!

[oliver-creed]

for tpp logs "httpjson-mimecast.ttp_url_logs"

reason":"failed to parse field [source.ip] of type [ip] in document with id 'doc_id'. Preview of field's value: 'Mimecast IP'","caused_by":{"type":"illegal_argument_exception","reason":"'Mimecast IP' is not an IP string literal."}}, dropping event!

[kcreddy]

Hey @oliver-creed , for each of the above parsing issues, could you please share the log/event associated so that we can reproduce the error and work on the fix?

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!