SIGMA Rule On an IP Address Field

[oneCrazyAdmin]

I wrote a Sigma rule looking for failed Administrator logins. Because of our environment, I wanted to filter out failed logins from a particular network segment.

However, the Sigma to EQL converts the source.ip address to be source.ip:"192.168.1.0/24" which causes EQL to throw and error.

Is there a way in the SIGMA rule to make sure that it uses == instead of : ?

`title: Failed Login Attempt by Administrator or Administrater
id: 995678-1234-1234-2025-123456789012
description: Detects failed login attempts by users with the username "administrator" or "administrater".
status: experimental
author: Stephen Meier
logsource:
category: authentication
product: windows
detection:
selection:
EventID: 4771
TargetUserName|contains:
- administrator
- administrater
exclusion:
source.ip: 192.168.1.0/24
condition: selection and not exclusion
fields:

• TargetUserName
• EventID
• IpAddress
• source.ip
  falsepositives:
• Legitimate failed login attempts by administrators
  level: critical`

Converts to
any where (event.code:"4771" and (winlog.event_data.TargetUserName like~ ("*administrator*", "*administrater*"))) and (not source.ip:"172.20.8.0/24")

And gets me the error

{ "error": { "root_cause": [ { "type": "verification_exception", "reason": """Found 1 problem line 2:125: first argument of [:] must be [string], found value [source.ip] type [ip]; consider using [==] instead""" } ], "type": "verification_exception", "reason": """Found 1 problem line 2:125: first argument of [:] must be [string], found value [source.ip] type [ip]; consider using [==] instead""" }, "status": 400 }

[cm-ops]

Did you do this in Detections? Have you tried setting sofilter? https://docs.securityonion.net/en/2.4/sigma.html#managing-existing-sigma-rules

[oneCrazyAdmin]

I was reading through that documentation and didn't really understand what that really was.

I did go back and take a better look at it, and that does work. Once again the problem was between the chair and the keyboard.

Thank you!