Thanks, @ethical20. Great observation.
Unfortunately, Packetbeat doesn't have a protocol analyzer for Telnet.
I think the rule you're looking at is to identify Telnet Port Activity vs. Telnet authentication, because there isn't an analyzer.
As a workaround, you could use the rule to just look at your own IP ranges, to identify lateral movement vs. as an entry point from interfaces that are Internet-connected. You could do this using the Exception Framework in the Detection Engine.
This exception means the alert would only trigger when the source IP addresses are RFC1918 addresses. The wording is a bit confusing, a double-negative. The way I read it is if you used the "is" Operator, the rule would always trigger except when the IP addresses are RFC1918, so try the "is not" Operator. If that doesn't give you the expected response (only alert on internal Telnet), you can try it with the "is" Operator.