diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 8121a6f13..533823e6f 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -12,7 +12,7 @@ transformations:
         sid: rule.uuid
         answer: answers
         query: dns.query.name
-        src_ip: destination.ip.keyword
+        src_ip: source.ip.keyword
         src_port: source.port
         dst_ip: destination.ip.keyword
         dst_port: destination.port