diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 2e4ef175643..d189637976d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -186,6 +186,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436}
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index d9d454ec1fe..8eea4b8a558 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -16,6 +16,7 @@ var sysmon = (function () {
     var path = require("path");
     var processor = require("processor");
     var winlogbeat = require("winlogbeat");
+    var net = require("net");
 
     // Windows error codes for DNS. This list was generated using
     // 'go run gen_dns_error_codes.go'.
@@ -432,17 +433,19 @@ var sysmon = (function () {
             } else {
                 // Convert V4MAPPED addresses.
                 answer = answer.replace("::ffff:", "");
-                ips.push(answer);
+                if (net.isIP(answer)) {
+                    ips.push(answer);
 
-                // Synthesize record type based on IP address type.
-                var type = "A";
-                if (answer.indexOf(":") !== -1) {
-                    type = "AAAA";
+                    // Synthesize record type based on IP address type.
+                    var type = "A";
+                    if (answer.indexOf(":") !== -1) {
+                        type = "AAAA";
+                    }
+                    answers.push({
+                        type: type,
+                        data: answer,
+                    });
                 }
-                answers.push({
-                    type: type,
-                    data: answer,
-                });
             }
         }
 
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json
index 52fc0fe7f22..ecf9e1b7987 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json
@@ -13341,10 +13341,6 @@
         {
           "data": "2001:502:7094::30",
           "type": "AAAA"
-        },
-        {
-          "data": "192.5",
-          "type": "A"
         }
       ],
       "question": {
@@ -13403,8 +13399,7 @@
         "192.43.172.30",
         "2001:503:39c1::30",
         "192.48.79.30",
-        "2001:502:7094::30",
-        "192.5"
+        "2001:502:7094::30"
       ]
     },
     "event": {