Merge branch 'develop' into auto-ta-update-271

Author: patel-bhavin

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -24,7 +24,7 @@ search: |
   | bin _time span=1d
   | stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip threat
   | lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids
-  | table _time, dest_ip, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app
+  | table _time, dest_ip, src_ip, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app
   | where sig_count >= distinct_count_snort_ids
   | `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`
 how_to_implement: |
@@ -53,7 +53,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potential $threat$ activity detected from $src_ip$ to $dest_ip$.
+  message: Potential $threat$ activity detected on $dest_ip$ originating from $src_ip$.
   risk_objects:
     - field: dest_ip
       type: system