From 122ef41e1afa4802884fc9fd040ad139181c5d4e Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 27 Jan 2022 09:24:55 -0300
Subject: [PATCH] Update source.ip condition (#1712)

(cherry picked from commit 4ac824192fea65c1d20f70919c704e3fc00eb711)
---
 rules/windows/persistence_remote_password_reset.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 4fde46837..10da4f41e 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/18"
 maturity = "production"
-updated_date = "2021/10/18"
+updated_date = "2022/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ sequence by host.id with maxspan=5m
   [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
-    not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId
+    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
   [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
 '''