Hi, yes, you can remove the network.direction test when using these on endpoint data. This field is more useful when it has been populated by a Suricata, Snort or Zeek network list. It is not a super reliable layer three context in endpoint pipelines because these typically have no network lists or maps. The rule needs more branching logic to confine evaluation of the network.direction field to appropriate event types.
Such a modified version of the search for endpoint events would look like this;
network.transport: tcp and destination.port: (139 or 445) and source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)