Translate allows you to perform a lookup against a dictionary based on the contents of a field, e.g. clientip, and populate a different field with the result, which could be SECURE or MALICIOUS as in your example. You could combine this with a conditional (the field containing the result of the lookup is not set) and use a mutate filter to then set it to MALICIOUS, which would be the default value. This should do what your Ruby filter does but avoid loading the file once for every event.