From b255586117bba130ef69e84f465d269c030d5d71 Mon Sep 17 00:00:00 2001
From: Nate Guagenti <neu5ron@users.noreply.github.com>
Date: Mon, 23 Aug 2021 14:59:06 -0400
Subject: [PATCH] condition fix and add fields

should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
---
 ...zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
index c50ceb512..52cae5548 100644
--- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
@@ -20,10 +20,18 @@ logsource:
     service: dce_rpc
 detection:
     efs_operation:
-        endpoint|startswith:
+        operation|startswith:
             - 'Efs'
             - 'efs'
     condition: efs_operation
 falsepositives:
     - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
 level: medium
+fields:
+    - id.orig_h
+    - id.resp_h
+    - id.resp_p
+    - operation
+    - endpoint
+    - named_pipe
+    - uid