diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b5d8d8b4cf7..498693840f4 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -357,6 +357,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Winlogbeat*
 
 - Change `event.code` and `winlog.event_id` from int to keyword. {pull}25176[25176]
+- Fix related.ip field in renameCommonAuthFields {pull}24892[24892]
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index e624a819beb..181e2612b46 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1850,7 +1850,6 @@ var security = (function () {
                 {from: "winlog.event_data.AccountName", to: "user.name"},
                 {from: "winlog.event_data.AccountDomain", to: "user.domain"},
                 {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.ClientName", to: "source.domain"},
                 {from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
             ],
@@ -1861,6 +1860,12 @@ var security = (function () {
             var user = evt.Get("winlog.event_data.AccountName");
             evt.AppendTo('related.user', user);
         })
+        .Add(function(evt) {
+            var ip = evt.Get("source.ip");
+            if (ip) {
+                evt.Put('related.ip', ip);
+            }
+        })
         .Build();
 
     var addServiceFields = new processor.Chain()
@@ -2028,7 +2033,6 @@ var security = (function () {
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.ProcessName", to: "process.executable"},
                 {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
                 {from: "winlog.event_data.WorkstationName", to: "source.domain"},
             ],
@@ -2047,6 +2051,12 @@ var security = (function () {
             }
             evt.Put("process.name", path.basename(exe));
         })
+        .Add(function(evt) {
+            var ip = evt.Get("source.ip");
+            if (ip) {
+                evt.Put('related.ip', ip);
+            }
+        })
         .Build();
 
     var renameNewProcessFields = new processor.Chain()
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
index e2c20d00775..819570bff67 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "at_adm"
     },
     "source": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json
index d9035b80116..064cbd79ae3 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "at_adm"
     },
     "source": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json
index c5d65a65deb..49db848f27a 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "DC_TEST2K12$"
     },
     "source": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
index 745498c40d1..cc4d8079f0b 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
@@ -195,6 +195,7 @@
       "pid": 448
     },
     "related": {
+      "ip": "127.0.0.1",
       "user": [
         "vagrant",
         "VAGRANT-2012-R2$"
@@ -858,6 +859,7 @@
       "pid": 2812
     },
     "related": {
+      "ip": "10.0.2.2",
       "user": [
         "vagrant",
         "VAGRANT-2012-R2$"
@@ -1449,6 +1451,7 @@
       "pid": 836
     },
     "related": {
+      "ip": "::1",
       "user": "bosch"
     },
     "source": {