I am finding that a majority of the critical IPS events that I should be retrieving require me to manually edit signatures to change aggregation to Attacker Victim and port. There are tens of thousands of signatures, and I have no idea what Cisco does to release these.
Is it possible to remove this requirement for the SDEE connector? IPS 7.3, connector 7.0.7.
This seems like either a bug or an oversight.