Address PR review comments

Author: jwindley

detections/endpoint/linux_system_network_discovery.yml

@@ -15,6 +15,7 @@ description: The following analytic identifies potential enumeration of local ne
   movement within the environment.
 data_source:
 - Sysmon for Linux EventID 1
+- osquery
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.action) as action values(Processes.dest) as dest values(Processes.original_file_name)
   as original_file_name values(Processes.parent_process) as parent_process values(Processes.parent_process_exec)
@@ -85,3 +86,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log
+    sourcetype: osquery:results
+    source: local_vm

detections/endpoint/macos_list_firewall_rules.yml

@@ -37,7 +37,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: MacOS firewall rules listed
+  message: MacOS firewall rules listed by $user$ on $dest$
   risk_objects:
   - field: dest
     type: system
@@ -61,6 +61,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log
     sourcetype: osquery:results
     source: local_vm