refactor: field IpAddress in ID 4624/4625 refactoring

rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml

@@ -3,7 +3,7 @@ id: 51238c62-2b29-4539-ad75-e94575368a12
 description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/24
-modified: 2019/11/13
+modified: 2022/04/27
 references:
     - https://twitter.com/gentilkiwi/status/1003236624925413376
     - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
@@ -19,7 +19,7 @@ detection:
         EventID: 4624
         ComputerName: '%DomainControllersNamesList%'
     selection2:
-        IpAddress: '%DomainControllersIpsList%'
+        SourceNetworkAddress: '%DomainControllersIpsList%'
     selection3:
         EventID: 4662
         ComputerName: '%DomainControllersNamesList%'

rules-unsupported/win_dumping_ntdsdit_via_netsync.yml

@@ -3,6 +3,7 @@ id: 757b2a11-73e7-411a-bd46-141d906e0167
 description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
+modified: 2022/04/27
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -16,7 +17,7 @@ detection:
         EventID: 4624
         ComputerName: '%DomainControllersNamesList%'
     selection2:
-        IpAddress: '%DomainControllersIpsList%'
+        SourceNetworkAddress: '%DomainControllersIpsList%'
     selection3:
         EventID: 5145
         ComputerName: '%DomainControllersNamesList%'

rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml

@@ -10,7 +10,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a
 status: experimental
 author: Mauricio Velazco, Michael Haag
 date: 2021/09/02
-modified: 2021/09/07
+modified: 2022/04/27
 references:
     - https://github.com/topotam/PetitPotam
     - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
@@ -28,7 +28,7 @@ detection:
         TargetUserName|endswith: '$'
         CertThumbprint: '*'
     filter_local:
-        IpAddress: '::1'
+        ClientAddress: '::1'
     filter_thumbprint:
         CertThumbprint: ''
     condition: selection and not 1 of filter_*

rules/windows/builtin/security/win_rdp_localhost_login.yml

@@ -4,7 +4,7 @@ description: RDP login with localhost source address may be a tunnelled login
 references:
     - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
 date: 2019/01/28
-modified: 2021/07/07
+modified: 2022/04/27
 tags:
     - attack.lateral_movement
     - car.2013-07-002
@@ -18,7 +18,7 @@ detection:
     selection:
         EventID: 4624
         LogonType: 10
-        IpAddress:
+        SourceNetworkAddress:
             - '::1'
             - '127.0.0.1'
     condition: selection

rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml

@@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, oscd.community
 references:
   - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 date: 2019/10/22
-modified: 2021/11/27
+modified: 2022/04/27
 logsource:
   product: windows
   service: security
@@ -15,7 +15,7 @@ detection:
     EventID: 5145
     RelativeTargetName|contains: '\winreg'
   filter:
-    IpAddress: '%Admins_Workstations%'
+    SourceAddress: '%Admins_Workstations%'
   condition: selection_1 and not filter
 falsepositives:
   - Legitimate usage of remote registry management by administrator

rules/windows/builtin/security/win_susp_failed_logon_source.yml

@@ -4,7 +4,7 @@ status: test
 description: A login from a public IP can indicate a misconfigured firewall or network boundary.
 author: NVISO
 date: 2020/05/06
-modified: 2021/11/27
+modified: 2022/04/27
 logsource:
   product: windows
   service: security
@@ -12,9 +12,9 @@ detection:
   selection:
     EventID: 4625
   ip_unknown:
-    IpAddress|contains: '-'
+    SourceNetworkAddress|contains: '-'
   ip_privatev4:
-    IpAddress|startswith:
+    SourceNetworkAddress|startswith:
       - '10.'       #10.0.0.0/8
       - '192.168.'       #192.168.0.0/16
       - '172.16.'       #172.16.0.0/12
@@ -36,8 +36,8 @@ detection:
       - '127.'       #127.0.0.0/8
       - '169.254.'       #169.254.0.0/16
   ip_privatev6:
-    - IpAddress: '::1'     #loopback 
-    - IpAddress|startswith:
+    - SourceNetworkAddress: '::1'     #loopback 
+    - SourceNetworkAddress|startswith:
       - 'fe80::'       #link-local
       - 'fc00::'       #unique local
   condition: selection and not 1 of ip_*

rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml

@@ -6,7 +6,7 @@ author: Mauricio Velazco
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 date: 2021/06/01
-modified: 2021/07/09
+modified: 2022/04/27
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -19,7 +19,7 @@ detection:
         EventID: 4625
         LogonType: 3
     filter:
-        IpAddress: '-'
+        SourceNetworkAddress: '-'
     timeframe: 24h
     condition:
         - selection1 and not filter | count(TargetUserName) by IpAddress > 10

rules/windows/builtin/security/win_susp_rottenpotato.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/SBousseaden/status/1195284233729777665
 author: '@SBousseaden, Florian Roth'
 date: 2019/11/15
-modified: 2021/07/07
+modified: 2022/04/27
 tags:
     - attack.privilege_escalation
     - attack.credential_access
@@ -20,7 +20,7 @@ detection:
         LogonType: 3
         TargetUserName: 'ANONYMOUS_LOGON'
         WorkstationName: '-'
-        IpAddress: '127.0.0.1'
+        SourceNetworkAddress: '127.0.0.1'
     condition: selection
 falsepositives:
     - Unknown

tools/config/ala.yml

@@ -88,6 +88,7 @@ fieldmappings:
   event_data.Signature: Signature
   event_data.Source: Source
   event_data.SourceImage: SourceImage
+  event_data.SourceNetworkAddress: IpAddress
   event_data.StartModule: StartModule
   event_data.Status: Status
   event_data.SubjectUserName: SubjectUserName

tools/config/ecs-ms365_defender.yml

@@ -15,4 +15,5 @@ fieldmappings:
   registryKey: microsoft.m365_defender.alerts.entities.registryKey
   registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
   ipAddress: microsoft.m365_defender.alerts.entities.ipAddress
+  SourceNetworkAddress: microsoft.m365_defender.alerts.entities.ipAddress
   

tools/config/fireeye-helix.yml

@@ -182,6 +182,7 @@ fieldmappings:
     SourceImage: process
     SourceIp: ~srcipv4
     SourcePort: srcport
+    SourceNetworkAddress: ~srcipv4
     src: ~srcipv4
     src_ip: ~srcipv4
     src_port: srcport

tools/config/hawk.yml

@@ -519,6 +519,7 @@ fieldmappings:
   DeviceClassName: object_name
   CallTrace: calltrace
   IpAddress: ip_src
+  SourceNetworkAddress: ip_src
   WorkstationName: hostname_src
   Workstation: hostname_src
   DestinationIp: ip_dst

tools/config/helk.yml

@@ -145,6 +145,7 @@ fieldmappings:
     SourceHostname: src_host_name
     SourceImage: process_path
     SourceIp: src_ip_addr
+    SourceNetworkAddress: src_ip_addr
     SourcePort: src_port
     SourcePortName: src_port_name
     StartAddress: thread_start_address

tools/config/humio.yml

@@ -427,6 +427,7 @@ fieldmappings:
   Source: winlog.event_data.Source
   SourceImage: winlog.event_data.SourceImage
   SourceIp: winlog.event_data.SourceIp
+  SourceNetworkAddress: winlog.event_data.IpAddress
   StartModule: winlog.event_data.StartModule
   Status: winlog.event_data.Status
   SubjectUserName: winlog.event_data.SubjectUserName

tools/config/logrhythm_winevent.yml

@@ -32,6 +32,9 @@ fieldmappings:
   IpAddress:
     - originIp
     - impactedIp
+  SourceNetworkAddress:
+    - originIp
+    - impactedIp
   ErrorCode: responseCode
   Task: vendorInfo
   PrivilegeList: subject

tools/config/winlogbeat-modules-enabled.yml

@@ -471,6 +471,7 @@ fieldmappings:
     SidHistory: winlog.event_data.SidHistory
     SidList: winlog.event_data.SidList
     SourceAddress: source.ip
+    SourceNetworkAddress: source.ip
     Status: winlog.event_data.Status
     StartType: winlog.event_data.StartType
     SubcategoryGuid: winlog.event_data.SubcategoryGuid

tools/config/winlogbeat-old.yml

@@ -152,6 +152,7 @@ fieldmappings:
   Signature: event_data.Signature
   Source: event_data.Source
   SourceImage: event_data.SourceImage
+  SourceNetworkAddress: event_data.IpAddress
   StartModule: event_data.StartModule
   Status: event_data.Status
   SubjectUserName: event_data.SubjectUserName

tools/config/winlogbeat.yml

@@ -179,6 +179,7 @@ fieldmappings:
     Source: winlog.event_data.Source
     SourceImage: winlog.event_data.SourceImage
     SourceIp: winlog.event_data.SourceIp
+    SourceNetworkAddress: winlog.event_data.SourceIp
     src_ip: winlog.event_data.SourceIp
     SourcePort: winlog.event_data.SourcePort
     src_port: winlog.event_data.SourcePort