Validate Source IP "LOCAL" or "Unknown" in Windows Security Logs

[MakoWish]

What does this PR do?

Some security events contain a source IP address of "LOCAL" or "Unknown" which are not valid IP addresses. This PR will correct the processing of events containing one of those values.

Why is it important?

This bug causes mapping exceptions and prevents these events from being ingested.

Checklist

• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

-fixes #34263

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @MakoWish? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-19T00:54:51.954+0000

• Duration: 39 min 51 sec

Test stats 🧪

Test	Results
Failed	0
Passed	336
Skipped	0
Total	336

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[efd6]

Thanks.

Are you able to provide events to exercise this in tests?

[MakoWish]

I unfortunately cannot provide EVTX files for this one, as the only record of this happening so far is from servers, and I do not have access to log into those servers. Since I have already made the changes to our Ingest Pipeline, I could provide the JSON of some of these documents in Elasticsearch for these events.

[MakoWish]

Scratch that. I was able to find a client with some of these. As with the other PR, these events do contain sensitive information. Please let me know how/where I can send them to you, and I will do that.

[MakoWish]

Attaching five scrubbed events of each where the source IP is either "LOCAL" or "Unknown".
source_ip_invalid.zip

[MakoWish]

Can we back-port this?

[efd6]

I've added the tests temporarily in the collection testdata. I want to flesh this out with a way to just drop XML files into inputs, but this is a bigger change, so I will do that separately.

[efd6]

/test

[efd6]

/test

[efd6]

Thanks