[filebeat][threatintel] Ignore bad indicator IPs for MISP fileset

[brsolomon-deloitte]

Type of change:

• Bug

What does this PR do?

Sets ignore_failure when attempting to process the MISP threat.indicator.ip using grok.

Why is it important?

MISP may send an Event.Attribute.value IP as a CIDR such as 146.88.240.0/24, which is not a valid IP per the Elasticsearch IP data type.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Closes When using the threatintel module, and misp data the fields do not accept cidr notation #29949

[cla-checker-service]

💚 CLA has been signed

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @brsolomon-deloitte? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-22T22:21:52.696+0000

• Duration: 76 min 6 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2583
Skipped	168
Total	2751

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[brsolomon-deloitte]

@efd6

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

Are you able to add a test case for this?

[brsolomon-deloitte]

Are you able to add a test case for this?

I am not, due to lack of experience developing against filebeat, but you can use this MISP record as a test input:

{
  "Event": {
    "Attribute": {
      "Galaxy": [],
      "ShadowAttribute": [],
      "category": "Network activity",
      "comment": "",
      "deleted": false,
      "disable_correlation": false,
      "distribution": "5",
      "event_id": "1528",
      "first_seen": null,
      "id": "4081012",
      "last_seen": null,
      "object_id": "0",
      "object_relation": null,
      "sharing_group_id": "0",
      "timestamp": "1670293864",
      "to_ids": true,
      "type": "ip-dst",
      "uuid": "4fa3610f-5412-41dd-9034-c8294fc3c7c2",
      "value": "146.88.240.0/24"
    },
    "CryptographicKey": [],
    "EventReport": [],
    "Galaxy": [],
    "Object": [],
    "Org": {
      "id": "1",
      "local": true,
      "name": "ORGNAME",
      "uuid": "121f5d02-2e2e-4180-9166-fcad7e01a20d"
    },
    "Orgc": {
      "id": "1",
      "local": true,
      "name": "ORGNAME",
      "uuid": "121f5d02-2e2e-4180-9166-fcad7e01a20d"
    },
    "RelatedEvent": [
      {
        "Event": {
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "121f5d02-2e2e-4180-9166-fcad7e01a20d"
          },
          "Orgc": {
            "id": "3",
            "name": "CIRCL",
            "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
          },
          "analysis": "2",
          "date": "2018-03-26",
          "distribution": "3",
          "id": "896",
          "info": "OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t",
          "org_id": "1",
          "orgc_id": "3",
          "published": true,
          "threat_level_id": "3",
          "timestamp": "1523865236",
          "uuid": "5acdb4d0-b534-4713-9612-4a1d950d210f"
        }
      }
    ],
    "ShadowAttribute": [],
    "Tag": [
      {
        "colour": "#004577",
        "exportable": true,
        "hide_tag": false,
        "id": "1",
        "is_custom_galaxy": false,
        "is_galaxy": false,
        "local": 0,
        "local_only": false,
        "name": "osint:source-type=\"block-or-filter-list\"",
        "numerical_value": null,
        "user_id": "0"
      }
    ],
    "analysis": "2",
    "attribute_count": "2053",
    "date": "2022-07-26",
    "disable_correlation": false,
    "distribution": "0",
    "event_creator_email": "admin@admin.test",
    "extends_uuid": "",
    "id": "1528",
    "info": "firehol_level1 feed",
    "locked": false,
    "org_id": "1",
    "orgc_id": "1",
    "proposal_email_lock": false,
    "protected": null,
    "publish_timestamp": "0",
    "published": false,
    "sharing_group_id": "0",
    "threat_level_id": "4",
    "timestamp": "1672885819",
    "uuid": "2ed041a1-33ea-4e54-bf26-bf1c7ce191b3"
  }
}

[efd6]

/test

[efd6]

Thanks