Fix IPv6 cleanup (#10801)

* Fix IPv6 cleanup * Add tests examples * Improve regexp * Fix changelog quotes * Revert "Improve regexp" This reverts commit 9f3a015.
elastic · Sep 9, 2024 · 01b8c6d · 01b8c6d
1 parent 25d3188
commit 01b8c6d
Show file tree

Hide file tree

Showing 20 changed files with 108 additions and 19 deletions.
diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.1"
+  changes:
+    - description: Fix IPv6 cleanup step.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10801
 - version: "1.3.0"
   changes:
     - description: Allow users to split event categories into separate data streams.

diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log
diff --git a/...sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json b/...sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json
@@ -693,7 +693,7 @@
                 ],
                 "id": "01GEF7MT4CB2DBKG1NGZ8XA7E0_105",
                 "kind": "event",
-                "original": "{\"timestamp\":\"18:32:29.495\",\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"dns\",\"src.process.parent.image.sha1\":\"f9bc4c756eab5121ace7ec1cf6a394be0439dec0\",\"site.id\":\"123456789123456789\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"VIERO-RMSLaunchBar\",\"osSrc.process.image.md5\":\"f905359ab27db1dda964d77442735cb8\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFTWINDOWSPUBLISHER\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"src.process.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"bfacfa096a56e3d149634e15e1b6470ff5a03957\",\"src.process.tgtFileCreationCount\":6,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":0,\"src.process.moduleCount\":251,\"src.process.parent.name\":\"VIERO.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1664811166298,\"src.process.image.md5\":\"421f6d5ec86f6b930646321fc6ed2c46\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"8DD23004051AA366\",\"src.process.childProcCount\":1,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":472,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"DNS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NTAUTHORITY\\\\NETWORKSERVICE\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"8DD23004051AA366\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":1340,\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1664811149495,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"d8b12c9072fdcf68ec152befb004add14b5c25b8\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\stuff\\\\stuff\\\\Application\\\\stuff\\\\stuff.exe\",\"osSrc.process.isNative64Bit\":false,\"src.process.pid\":3924,\"osSrc.process.uid\":\"73833004051AA366\",\"tgt.file.isSigned\":\"unsigned\",\"sca:ingestTime\":1664811166,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\ProgramFiles(x86)\\\\Microsoft\\\\important_stuff\\\\stuff.EXE\\\\\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":true,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"unsigned\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0_105\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"\\\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\VIERO.exe\\\"\",\"src.process.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\CC.Falcon.OrderModule.exe\",\"src.process.tgtFileModificationCount\":4,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":26,\"src.process.netConnOutCount\":26,\"osSrc.process.startTime\":1664800506863,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":53,\"osSrc.process.image.sha256\":\"e3d84df77b279ea288cc726cbf68867dc6ae00d24e0e24985141a2ee4753682a\",\"src.process.tgtFileDeletionCount\":6,\"src.process.startTime\":1664803358244,\"mgmt.id\":\"1337\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":53,\"os.name\":\"Windows8.1Pro\",\"osSrc.process.indicatorGeneral.count\":7,\"src.process.displayName\":\"OrderEntryApplication(Client)\",\"osSrc.process.dnsCount\":6126,\"event.dns.request\":\"blog.example.com\",\"event.dns.response\":\"infra-cdn.example.com;216.160.83.57\",\"src.process.isNative64Bit\":true,\"src.process.parent.sessionId\":1,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"AFD43004051AA366\",\"src.process.parent.image.md5\":\"1f3d8a05852ee60fb475e86a0ae74e27\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe-kNetworkService\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"AFD43004051AA366\",\"src.process.parent.uid\":\"8CD23004051AA366\",\"agent.version\":\"22.1.2.217\",\"src.process.parent.image.sha256\":\"d2213413a6a558981670676ff0575e31542067ef69ee7e061c0308c4f0c0888d\",\"src.process.sessionId\":1,\"src.process.netConnCount\":26,\"mgmt.osRevision\":\"9600\",\"osSrc.process.image.path\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe\",\"group.id\":\"asdf\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1664802966680,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":26,\"osSrc.process.tgtFileDeletionCount\":0,\"endpoint.type\":\"laptop\",\"osSrc.process.indicatorEvasionCount\":6,\"trace.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0\",\"src.process.name\":\"CC.Falcon.OrderModule.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"osSrc.process.displayName\":\"HostProcessforWindowsServices\",\"src.process.image.sha256\":\"ca261f1061485488d08e4c4618b18b42d559f4288dbad3a5c758523347ab3e7c\",\"src.process.indicatorGeneralCount\":6,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1A1DF4D521014F9C90F4CF31E5446B91\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"src.process.parent.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"74833004051AA366\",\"event.type\":\"DNS Resolved\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2728}",
+                "original": "{\"timestamp\":\"18:32:29.495\",\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"dns\",\"src.process.parent.image.sha1\":\"f9bc4c756eab5121ace7ec1cf6a394be0439dec0\",\"site.id\":\"123456789123456789\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"VIERO-RMSLaunchBar\",\"osSrc.process.image.md5\":\"f905359ab27db1dda964d77442735cb8\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFTWINDOWSPUBLISHER\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"src.process.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"bfacfa096a56e3d149634e15e1b6470ff5a03957\",\"src.process.tgtFileCreationCount\":6,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":0,\"src.process.moduleCount\":251,\"src.process.parent.name\":\"VIERO.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1664811166298,\"src.process.image.md5\":\"421f6d5ec86f6b930646321fc6ed2c46\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"8DD23004051AA366\",\"src.process.childProcCount\":1,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":472,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"DNS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NTAUTHORITY\\\\NETWORKSERVICE\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"8DD23004051AA366\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":1340,\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1664811149495,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"d8b12c9072fdcf68ec152befb004add14b5c25b8\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\stuff\\\\stuff\\\\Application\\\\stuff\\\\stuff.exe\",\"osSrc.process.isNative64Bit\":false,\"src.process.pid\":3924,\"osSrc.process.uid\":\"73833004051AA366\",\"tgt.file.isSigned\":\"unsigned\",\"sca:ingestTime\":1664811166,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\ProgramFiles(x86)\\\\Microsoft\\\\important_stuff\\\\stuff.EXE\\\\\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":true,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"unsigned\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0_105\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"\\\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\VIERO.exe\\\"\",\"src.process.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\CC.Falcon.OrderModule.exe\",\"src.process.tgtFileModificationCount\":4,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":26,\"src.process.netConnOutCount\":26,\"osSrc.process.startTime\":1664800506863,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":53,\"osSrc.process.image.sha256\":\"e3d84df77b279ea288cc726cbf68867dc6ae00d24e0e24985141a2ee4753682a\",\"src.process.tgtFileDeletionCount\":6,\"src.process.startTime\":1664803358244,\"mgmt.id\":\"1337\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":53,\"os.name\":\"Windows8.1Pro\",\"osSrc.process.indicatorGeneral.count\":7,\"src.process.displayName\":\"OrderEntryApplication(Client)\",\"osSrc.process.dnsCount\":6126,\"event.dns.request\":\"blog.example.com\",\"event.dns.response\":\"infra-cdn.example.com;::ffff:216.160.83.57\",\"src.process.isNative64Bit\":true,\"src.process.parent.sessionId\":1,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"AFD43004051AA366\",\"src.process.parent.image.md5\":\"1f3d8a05852ee60fb475e86a0ae74e27\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe-kNetworkService\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"AFD43004051AA366\",\"src.process.parent.uid\":\"8CD23004051AA366\",\"agent.version\":\"22.1.2.217\",\"src.process.parent.image.sha256\":\"d2213413a6a558981670676ff0575e31542067ef69ee7e061c0308c4f0c0888d\",\"src.process.sessionId\":1,\"src.process.netConnCount\":26,\"mgmt.osRevision\":\"9600\",\"osSrc.process.image.path\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe\",\"group.id\":\"asdf\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1664802966680,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":26,\"osSrc.process.tgtFileDeletionCount\":0,\"endpoint.type\":\"laptop\",\"osSrc.process.indicatorEvasionCount\":6,\"trace.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0\",\"src.process.name\":\"CC.Falcon.OrderModule.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"osSrc.process.displayName\":\"HostProcessforWindowsServices\",\"src.process.image.sha256\":\"ca261f1061485488d08e4c4618b18b42d559f4288dbad3a5c758523347ab3e7c\",\"src.process.indicatorGeneralCount\":6,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1A1DF4D521014F9C90F4CF31E5446B91\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"src.process.parent.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"74833004051AA366\",\"event.type\":\"DNS Resolved\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2728}",
                 "type": [
                     "info",
                     "protocol"
@@ -792,7 +792,7 @@
                     },
                     "dns": {
                         "request": "blog.example.com",
-                        "response": "infra-cdn.example.com;216.160.83.57"
+                        "response": "infra-cdn.example.com;::ffff:216.160.83.57"
                     },
                     "endpoint": {
                         "name": "asdf1",

diff --git a/...entinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml b/...entinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml
@@ -137,7 +137,6 @@ processors:
                 ]);
               }
             } else {
-              answer = answer.replace("::ffff:", "");
               ips.add(answer);
             }
           }
@@ -163,6 +162,24 @@ processors:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
             allow_duplicates: false
+  - foreach:
+      field: dns.answers
+      if: ctx.dns?.answers instanceof List
+      ignore_failure: true
+      processor:
+        gsub:
+          field: _ingest._value
+          pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+          replacement: '$1'
+  - foreach:
+      field: dns.resolved_ip
+      if: ctx.dns?.resolved_ip instanceof List
+      ignore_failure: true
+      processor:
+        gsub:
+          field: _ingest._value
+          pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+          replacement: '$1'
   - foreach:
       field: dns.resolved_ip
       if: ctx.dns?.resolved_ip instanceof List

diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: sentinel_one_cloud_funnel
 title: SentinelOne Cloud Funnel
-version: "1.3.0"
+version: "1.3.1"
 description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent.
 type: integration
 categories: ["security", "edr_xdr"]

diff --git a/packages/sysmon_linux/changelog.yml b/packages/sysmon_linux/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.6.3"
+  changes:
+    - description: Fix IPv6 cleanup step.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10801
 - version: "1.6.2"
   changes:
     - description: Changed owners

diff --git a/packages/sysmon_linux/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sysmon_linux/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -802,7 +802,6 @@ processors:
             ]);
             relatedHosts.add(parts[2]);
           } else {
-            answer = answer.replace("::ffff:", "");
             ips.add(answer);
           }
         }
@@ -819,6 +818,24 @@ processors:
           }
           ctx.related.hosts = relatedHosts;
         }
+  - foreach:
+      field: dns.answers
+      if: ctx.dns?.answers instanceof List
+      ignore_failure: true
+      processor:
+        gsub:
+          field: _ingest._value
+          pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+          replacement: '$1'
+  - foreach:
+      field: dns.resolved_ip
+      if: ctx.dns?.resolved_ip instanceof List
+      ignore_failure: true
+      processor:
+        gsub:
+          field: _ingest._value
+          pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+          replacement: '$1'
   - foreach:
       field: dns.resolved_ip
       ignore_missing: true

diff --git a/packages/sysmon_linux/manifest.yml b/packages/sysmon_linux/manifest.yml
@@ -1,6 +1,6 @@
 name: sysmon_linux
 title: Sysmon for Linux
-version: "1.6.2"
+version: "1.6.3"
 description: Collect Sysmon Linux logs with Elastic Agent.
 type: integration
 categories:

diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.60.4"
+  changes:
+    - description: Fix IPv6 cleanup step.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10801
 - version: "1.60.3"
   changes:
     - description: Fix broken query on Users Renamed

diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json
@@ -18,7 +18,7 @@
                 "channel": "Security",
                 "computer_name": "COMPUTER1.contoso.com",
                 "event_data": {
-                    "SourceAddress": "10.47.0.122",
+                    "SourceAddress": "::ffff:10.47.0.122",
                     "LayerRTID": "13",
                     "LayerName": "%%14597",
                     "DestPort": "1947",

diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json
@@ -39,6 +39,7 @@
             "related": {
                 "ip": [
                     "255.255.255.255",
+                    "::ffff:10.47.0.122",
                     "10.47.0.122"
                 ]
             },

diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
@@ -10,8 +10,8 @@ processors:
       if: 'ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)'
   - gsub:
       field: source.ip
-      pattern: "::ffff:"
-      replacement: ""
+      pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+      replacement: '$1'
       ignore_missing: true
   - geoip:
       field: source.ip

diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "1.60.3"
+version: "1.60.4"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:

diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.1"
+  changes:
+    - description: Fix IPv6 cleanup step.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10801
 - version: "2.0.0"
   changes:
     - description: |

diff --git a/...ages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json b/...ages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json
@@ -27,7 +27,7 @@
                     "PreAuthType": "2",
                     "TargetUserName": "at_adm",
                     "Status": "0x0",
-                    "IpAddress": "::1",
+                    "IpAddress": "::ffff:10.47.0.122",
                     "TicketOptions": "0x40810010",
                     "TargetDomainName": "TEST.SAAS",
                     "IpPort": "0",

diff --git a/...ata_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/...ata_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json
@@ -40,7 +40,7 @@
             },
             "related": {
                 "ip": [
-                    "::1"
+                    "10.47.0.122"
                 ],
                 "user": [
                     "at_adm"
@@ -50,7 +50,7 @@
                 "name": "krbtgt"
             },
             "source": {
-                "ip": "::1",
+                "ip": "10.47.0.122",
                 "port": 0
             },
             "user": {

diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml
@@ -2905,8 +2905,8 @@ processors:
 
   - gsub:
       field: source.ip
-      pattern: "::ffff:"
-      replacement: ""
+      pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' 
+      replacement: '$1'
       ignore_missing: true
 
   - append: