Breadcrumbs

IP Address (Origin)

The IP address of the origin system. Often referred to as Source IP (in NetMon, Rule Builder and other parts of the system). 

Data Type

  • IP

  • IPv4 in octets

  • IPv6 (no support for CIDR or IPv6e)

Aliases

Use

Alias

Client Console Full Name

Host (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

IP Address (Origin)

Elasticsearch Field Name

originIp

Rule Builder Column Name

SIP

Regex Pattern

<sip>

NetMon Name

SrcIP

Field Relationships

  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP
  • Origin Port


  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

Everything that communicates through a network.

Use Case

Indicating the host relationship to the log message—for example, if it is an origin threat, impacted by a threat, the client, or the server.

MPE/Data Masking Manipulations

Polyfield – Origin Host

Usage Standards

  • Do not override/overload, use <sip> not (?<sip>.*?).

  • Origin is Client (In Client-Server Model).

  • Origin is Attacker (In Attacker-Target Model).

  • Use when you see an Origin IP address IPv4 or IPv6, unless it is an IPv4 address mapped to IPv6, in which case use <sipv6e>.

Examples

  • Office 365

TS=2016-10-20T20:22:23 SESSID=8b157afd-eb80-45e4-926f-222222222 COMMAND=AnonymousLinkUsed USERTYPE=Regular USERKEY=anonymous WORKLOAD=SharePoint RESULTCODE= OBJECT= https://www.recordflow.biz /Shared Documents/abuse_ch_copy.txt USER=anonymous SIP=1.1.1.1 ITEMTYPE=File EVENTSOURCE=SharePoint USERAGENT=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 DOMAIN= FILENAME= DESTINATION= DESTINATIONFILENAME= USERSHAREDWITH= SHARINGTYPE= MODIFIEDPROPERTIES=

SIP (IPv4) in this case is Origin (source) connecting to O365 Cloud service. Client-Server are Origin-Impacted in this context.

  • LogBinder

Jun 11 14:53:48 1.1.1.1 25000 LOGbinder EX|2.0|success|2014-06-11T14:53:48.0000000-05:00|Undocumented Exchange mailbox operation|name="occurred" label="Occurred" value="6/11/2014 2:53:48 PM"|name="operation" label="Operation" value=""|name="result" label="Result" value="Succeeded"|name="originatingserver" label="Originating Server" value=" USABLDRRECFLOW01 (14.02.0341.000)"|name="mailboxguid" label="Mailbox GUID" value="9db94f90-2222-2222-b6c8-48200020026f"|name="mailboxowner" label="Mailbox Owner" value="n/a"|name="mailboxownerupn" label="Mailbox Owner UPN" value="pete.store@recordflow.biz"|name="mailboxownersid" label="Mailbox Owner SID" value="S-1-5-21-2141518605-3280587107-2299868870-500"|name="folderid" label="Folder ID" value="n/a"|name="foldername" label="Folder Name" value="\\Inbox"|name="performedusername" label="Performed User Name" value="Administrator"|name="performedusersid" label="Performed User SID" value="S-1-5-21-222222222222-3280587107-2299868870-500"|name="performedlogontype" label="Performed Logon Type" value="Owner"|name="clientinfo" label="Client Info" value="Client\=OWA"|name="clientipaddress" label="Client IP Address" value="fe80::b000:00c0:e000:f00e%00"|name="clientprocessname" label="Client Process Name" value="n/a"|name="clientversion" label="Client Version" value="n/a"|name="additionalinfo" label="Additional Information" value="Owner\= [Administrator]; LastAccessed\= [2013-03-06T04:41:48.0670508-05:00];"

IPv6 address for client. Client-Server are Origin-Impacted in this context.