condition fix and add fields

should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation

rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml

@@ -20,10 +20,18 @@ logsource:
     service: dce_rpc
 detection:
     efs_operation:
-        endpoint|startswith:
+        operation|startswith:
             - 'Efs'
             - 'efs'
     condition: efs_operation
 falsepositives:
     - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
 level: medium
+fields:
+    - id.orig_h
+    - id.resp_h
+    - id.resp_p
+    - operation
+    - endpoint
+    - named_pipe
+    - uid