To clarify - using DetectionIP will match for the machine where the logs are being generated.
Caveats:
- If you're monitoring domain controllers, you will see logons constantly from many different users and this rule may fire false positives.
- If you're monitoring servers and systems directly, this rule will work as described.
You may be able to accomplish what you want for both the DC and local login case using DestinationMachine instead.