M365 Defender Geo IP failing when IP is "-"

[jvalente-salemstate]

Changes to the use of how the Geo IP plugin is used were made in #8891 and generally works well. However, when the value for source IP is not set, M365 Defender is sometimes setting these to "-" rather than blank as in other fields.

This means any time these events are processed:

• An Invalid value is added to *.ip
• The following error is indexed with the event: Processor "conditional" with tag "geoip_source_ip" in pipeline "logs-m365_defender.event-2.6.2-pipeline_device" failed with message "'-' is not an IP string literal."

Within the document: "ignored_field_values": { "source.ip": [ "-" ], "m365_defender.event.remote.ip": [ "-" ] }

This value is being captured directly from the event hub and a conditional check validity and not set the field to invalid values is needed.

KQL showing the RemoteIP is not blank, but a string - DeviceLogonEvents | where AccountName contains '...REDACTED...' | sort by Timestamp desc | project Timestamp, ActionType, RemoteIP |limit 5

Timestamp	ActionType	RemoteIP
2024-02-02T16:19:24.7480265Z	LogonAttempted	-
2024-02-02T16:15:52.8838833Z	LogonAttempted	-
2024-02-02T16:08:23.4486447Z	LogonAttempted	-
2024-02-02T16:05:44.9170888Z	LogonAttempted	-
2024-02-02T16:01:24.8801198Z	LogonAttempted	-

Oddly, this isn't consistent within the table. The above is from an event initiated by Firefox, while lsass.exe is correctly returning no value.

I'm using Elastic Agent 8.12.0 with the M365 Defender Integration v2.6.2

[jvalente-salemstate]

Timestamp	InitiatingProcessAccountName	RemoteIP
2024-02-02T16:36:28.9574993Z	system
2024-02-02T16:36:28.9574814Z	system
2024-02-02T16:36:24.4051252Z	system
2024-02-02T16:36:22.2625214Z	system
2024-02-02T16:36:19.6658261Z	system

Sample where RemoteIP isn't set, rather than set to -