IP Address (Origin)
The IP address of the origin system. Often referred to as Source IP (in NetMon, Rule Builder and other parts of the system).
Data Type
- IP
- IPv4 in octets
- IPv6 (no support for CIDR or IPv6e)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Host (Origin) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | IP Address (Origin) |
Elasticsearch Field Name | originIp |
Rule Builder Column Name | SIP |
Regex Pattern | <sip> |
NetMon Name | SrcIP |
Field Relationships
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
Everything that communicates through a network.
Use Case
Indicating the host relationship to the log message—for example, if it is an origin threat, impacted by a threat, the client, or the server.
MPE/Data Masking Manipulations
Polyfield – Origin Host
Usage Standards
- Do not override/overload, use <sip> not (?<sip>.*?).
- Origin is Client (In Client-Server Model).
- Origin is Attacker (In Attacker-Target Model).
- Use when you see an Origin IP address IPv4 or IPv6, unless it is an IPv4 address mapped to IPv6, in which case use <sipv6e>.
Examples
- Office 365
TS=2016-10-20T20:22:23 SESSID=8b157afd-eb80-45e4-926f-222222222 COMMAND=AnonymousLinkUsed USERTYPE=Regular USERKEY=anonymous WORKLOAD=SharePoint RESULTCODE= OBJECT= https://www.recordflow.biz /Shared Documents/abuse_ch_copy.txt USER=anonymous SIP=1.1.1.1 ITEMTYPE=File EVENTSOURCE=SharePoint USERAGENT=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 DOMAIN= FILENAME= DESTINATION= DESTINATIONFILENAME= USERSHAREDWITH= SHARINGTYPE= MODIFIEDPROPERTIES=
SIP (IPv4) in this case is Origin (source) connecting to O365 Cloud service. Client-Server are Origin-Impacted in this context.
- LogBinder
Jun 11 14:53:48 1.1.1.1 25000 LOGbinder EX|2.0|success|2014-06-11T14:53:48.0000000-05:00|Undocumented Exchange mailbox operation|name="occurred" label="Occurred" value="6/11/2014 2:53:48 PM"|name="operation" label="Operation" value=""|name="result" label="Result" value="Succeeded"|name="originatingserver" label="Originating Server" value=" USABLDRRECFLOW01 (14.02.0341.000)"|name="mailboxguid" label="Mailbox GUID" value="9db94f90-2222-2222-b6c8-48200020026f"|name="mailboxowner" label="Mailbox Owner" value="n/a"|name="mailboxownerupn" label="Mailbox Owner UPN" value="pete.store@recordflow.biz"|name="mailboxownersid" label="Mailbox Owner SID" value="S-1-5-21-2141518605-3280587107-2299868870-500"|name="folderid" label="Folder ID" value="n/a"|name="foldername" label="Folder Name" value="\\Inbox"|name="performedusername" label="Performed User Name" value="Administrator"|name="performedusersid" label="Performed User SID" value="S-1-5-21-222222222222-3280587107-2299868870-500"|name="performedlogontype" label="Performed Logon Type" value="Owner"|name="clientinfo" label="Client Info" value="Client\=OWA"|name="clientipaddress" label="Client IP Address" value="fe80::b000:00c0:e000:f00e%00"|name="clientprocessname" label="Client Process Name" value="n/a"|name="clientversion" label="Client Version" value="n/a"|name="additionalinfo" label="Additional Information" value="Owner\= [Administrator]; LastAccessed\= [2013-03-06T04:41:48.0670508-05:00];"
IPv6 address for client. Client-Server are Origin-Impacted in this context.