Update eventchannel fields

rules/0220-msauth_rules.xml

@@ -1925,23 +1925,23 @@
   <!-- Composite rules -->
   <rule id="20085" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_sid>20008</if_matched_sid>
-    <same_field>EventChannel.EventData.TargetUserName</same_field>
+    <same_field>win.eventdata.targetUserName</same_field>
     <description>Windows: Multiple failed attempts to perform a privileged operation by the same user</description>
     <options>no_full_log</options>
     <group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>
 
   <rule id="20086" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_group>win_authentication_failed</if_matched_group>
-    <same_field>EventChannel.EventData.IpAddress</same_field>
+    <same_field>win.eventdata.ipAddress</same_field>
     <description>Multiple Windows Logon Failures</description>
     <options>no_full_log</options>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>
 
   <rule id="20087" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_sid>20005</if_matched_sid>
-    <same_field>EventChannel.EventData.IpAddress</same_field>
+    <same_field>win.eventdata.ipAddress</same_field>
     <description>Multiple Windows audit failure events</description>
     <options>no_full_log</options>
     <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>