elastic · andrewkroh · May 12, 2020 · May 11, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -184,6 +184,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436}
 
 *Functionbeat*
 

@@ -16,6 +16,7 @@ var sysmon = (function () {
  var path = require("path");
  var processor = require("processor");
  var winlogbeat = require("winlogbeat");
+ var net = require("net");
 
  // Windows error codes for DNS. This list was generated using
  // 'go run gen_dns_error_codes.go'.
@@ -432,17 +433,19 @@ var sysmon = (function () {
  } else {
  // Convert V4MAPPED addresses.
  answer = answer.replace("::ffff:", "");
- ips.push(answer);
+ if (net.isIP(answer)) {
+ ips.push(answer);
 
- // Synthesize record type based on IP address type.
- var type = "A";
- if (answer.indexOf(":") !== -1) {
- type = "AAAA";
+ // Synthesize record type based on IP address type.
+ var type = "A";
+ if (answer.indexOf(":") !== -1) {
+ type = "AAAA";
+ }
+ answers.push({
+ type: type,
+ data: answer,
+ });
  }
- answers.push({
- type: type,
- data: answer,
- });
  }
  }
 

@@ -13341,10 +13341,6 @@
  {
  "data": "2001:502:7094::30",
  "type": "AAAA"
- },
- {
- "data": "192.5",
- "type": "A"
  }
  ],
  "question": {
@@ -13403,8 +13399,7 @@
  "192.43.172.30",
  "2001:503:39c1::30",
  "192.48.79.30",
- "2001:502:7094::30",
- "192.5"
+ "2001:502:7094::30"
  ]
  },
  "event": {