m365_defender,microsoft_defender_endpoint: gracefully handle empty nested IP values

It seems that the endpoint will send IP values that are an empty string.
To work around the absence of a condition on processors in a foreach
processors, just remove all empty strings under the affected fields.

Author: efd6

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.14.2"
+  changes:
+    - description: Fix handling of empty string IP values.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/
 - version: "3.14.1"
   changes:
     - description: Fix agent handling of empty and error results in vulnerability data stream.

packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log

@@ -63,6 +63,25 @@ processors:
       tag: fingerprint_processor
       target_field: _id
       ignore_missing: true
+  - script:
+      lang: painless
+      description: Drops empty string values recursively.
+      tag: painless_remove_empty_from_evidence
+      if: ctx.json?.evidence != null
+      source: |-
+        boolean drop(Object object) {
+          if (object == '') {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(v -> drop(v));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(v -> drop(v));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        drop(ctx.json.evidence);
   - script:
       description: Dynamically map event.category and event.type field from evidence.
       tag: script_to_set_event_category_and_type

packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json

@@ -301,6 +301,25 @@ processors:
       field: json.alerts.determination
       target_field: m365_defender.incident.alert.determination
       ignore_missing: true
+  - script:
+      lang: painless
+      description: Drops empty string values recursively.
+      tag: painless_remove_empty_from_evidence
+      if: ctx.json?.alerts?.evidence != null
+      source: |-
+        boolean drop(Object object) {
+          if (object == '') {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(v -> drop(v));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(v -> drop(v));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        drop(ctx.json.alerts.evidence);
   - foreach:
       field: json.alerts.evidence
       if: ctx.json?.alerts?.evidence instanceof List

packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml

@@ -2,3 +2,4 @@
 {"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"}
 {"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029}
 {"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}
+{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}