Validate Source IP "LOCAL" or "Unknown" in Windows Security Logs

[MakoWish]

What does this PR do?

Some security events contain a source IP address of "LOCAL" or "Unknown" which are not valid IP addresses. This PR will correct the processing of events containing one of those values.

Why is it important?

This bug causes mapping exceptions and prevents these events from being ingested.

Checklist

• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

-fixes #19627

[cla-checker-service]

💚 CLA has been signed

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @MakoWish? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

❕ Build Aborted

The PR is not allowed to run in the CI yet

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-13T22:26:45.158+0000

• Duration: 5 min 51 sec

Steps errors

Expand to view the steps failures

Load a resource file from a library

• Took 0 min 0 sec . View more details here
• Description: approval-list/elastic/beats.yml

Error signal

• Took 0 min 0 sec . View more details here
• Description: githubApiCall: The REST API call https://api.github.com/orgs/elastic/members/MakoWish return the message : java.lang.Exception: httpRequest: Failure connecting to the service https://api.github.com/orgs/elastic/members/MakoWish : httpRequest: Failure connecting to the service https://api.github.com/orgs/elastic/members/MakoWish : Code: 404Error: {"message":"User does not exist or is not a member of the organization","documentation_url":"https://docs.github.com/rest/reference/orgs#check-organization-membership-for-a-user"}

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[MakoWish]

Can we backport this as a bug fix?

[efd6]

@MakoWish Please sign the CLA so that we can take a look at this.

[MakoWish]

@MakoWish Please sign the CLA so that we can take a look at this.

Hi @efd6 , I have already done that.

[efd6]

Your GitHub handle is recognised as having signed the CLA but this PR does not appear to be signed. Would you please check that the email address in the commits that you authored matches the email address that you used when you signed the CLA; there are two identities in these commits and I suspect that the second may not be a CLA-known identity.

[MakoWish]

I signed the CLA with my personal email, but I would prefer not to use that on commits. The commits should be configured with the GH "no reply" account. Is there a way to add th "no reply" account "26614684+MakoWish@users.noreply.github.com" to the CLA?

[efd6]

Can you try resigning with that email address?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b main upstream/main
git merge upstream/main
git push upstream main

[MakoWish]

Having a hard time changing this one. Have any tips on how to do that?

[efd6]

Thanks for fixing the CLA signing. This has brought in many changes that are unrelated to the fix here; are you able to reduce it down to just the changes that you are needing to make please.

[MakoWish]

Wasn't sure how to remove the changes I inadvertently added, and accidentally removed everything. I will open a new PR with just the changes for the source IP issue.