The "Data" field in "filter_main_local_ips" is are mapped to "param3" with winlogbeat

[zambomarcell]

Rule UUID

ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d

Example EventLog

event_code 18456
event_desc Login failed in Application Nixon
event_kind event
event_outcome failure
event_provider MSSQLSERVER
log_level information
message Login failed for user 'NixonAdmin'. Reason: Password did not match that for the login provided. [CLIENT: 10.1.10.170]
winlog_channel Application
winlog_event_data_Binary 184800000E0000000500000044004200300031000000070000006D00610073007400650072000000
winlog_event_data_param1 NixonAdmin
winlog_event_data_param2 Reason: Password did not match that for the login provided.
winlog_event_data_param3 [CLIENT: 10.1.10.170]
winlog_event_id 18456
winlog_keywords Audit Failure, Classic

Description

detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    filter_main_local_ips:
        Data|contains:
            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
            - 'CLIENT: 172.17.'
            - ...

The detection logic working with Data field to filtering out privat logon atempts, but (with winlogbeat) this information stored in param3 field. Can you change the rule to use param3 or this param3 field is winlogbeat specific?

[nasbench]

Sigma doesn't care about the fields of backends. It's the Job of the rule consumer to map it correctly.

The rule is using the Data raw field from the event log itself. This param3 is unrelated, its just elastic's way of mapping the data field.

You should map your field using logstash/ingestion pipeline in order for the rule to work.

Nothing to be fixed in the rule.