Origin NAT IP

The Network Address Translated IP from which activity originated (for example, attacker or client).

Data Type

IP

Aliases

Use	Alias
Client Console Full Name	NAT IP Address (Origin)
Client Console Short Name	Not applicable
Web Console Tab/Name	NAT IP Address (Origin)
Elasticsearch Field Name	originNatIp
Rule Builder Column Name	SNATIP
Regex Pattern	<snatip>
NetMon Name	Not applicable

Field Relationships

SIP
SIPv4
SIPv6
SIPv6E
Origin Hostname
Origin Hostname or IP
DIP
DIPv4
DIPv6
DIPv6E
Impacted Hostname
Impacted Hostname or IP
Impacted NAT IP
Origin Port

Origin NAT Port
Impacted Port
Impacted NAT Port
Origin MAC Address
Impacted MAC Address
Origin Interface
Impacted Interface
Origin Domain
Impacted Domain
Origin Login
Impacted Account
IANA Protocol Number
IANA Protocol Name

Common Applications

Network equipment

Use Case

Internal host context

MPE/Data Masking Manipulations

Polyfield – Origin Host

Usage Standards

Do not override/overload, use <snatip> not (?<snatip>.*?).
NAT Origin is Client (In Client-Server Model).
NAT Origin is Attacker (In Attacker-Target Model).
Use when you see an Origin IP address IPv4 or IPv6.

Examples

Cisco Netflow

02 19 2014 06:40:29 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=62173 InIfc=4 Dst=1.1.1.1 DPort=8080 OutIfc=3 Prot=6 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=- XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=- FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=- DETAILS=CONN_ID=1632431052 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0 XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=61695 XLATE_DST_PORT=8080 FW_EVENT=2 FW_EXT_EVENT=2015 EVENT_TIME_MSEC=1392835229440 IN_PERMANENT_BYTES=8807 DefaultDevice TemplateID=263

XLATE-SRC-ADDR indicates an origin IP (source in a network context) utilizing Network Address Translation (NAT). SIP and DIP (Origin and Impacted) are indicated here with src= and dst=.