Skip to content

Commit

Permalink
Merge pull request #335 from CrossRealms/linux-user-changes
Browse files Browse the repository at this point in the history 
Add changes field in the main alert
  • Loading branch information
@mahirchavda
mahirchavda authored Jun 28, 2023
2 parents 4251957 + 7e99b78 commit 9530d0b
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions cyences_app_for_splunk/default/savedsearches.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4164,7 +4164,7 @@ request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = | inputlookup cs_linux_users \
| addinfo | where _time>=info_min_time and _time <info_max_time \
| table host UID _time USERNAME COMMAND_SHELL HOME_DIR SUDOACCESS USER_INFO GID status \
| table host UID _time USERNAME COMMAND_SHELL HOME_DIR SUDOACCESS USER_INFO GID status changes \
| eval cyences_severity = case(UID=0, "high",1=1, "medium") \
| `cs_change_in_user_linux_filter`
action.cyences_notable_event_action = 1
Expand Down Expand Up @@ -4198,7 +4198,7 @@ request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = | inputlookup cs_linux_groups \
| addinfo | where _time>=info_min_time and _time <info_max_time \
| table _time host group_name users status \
| table _time host group_name users status changes \
| eval cyences_severity = case(group_name="root", "high",1=1, "medium") \
| `cs_change_in_group_of_linux_filter`
action.cyences_notable_event_action = 1
Expand Down

0 comments on commit 9530d0b

Please sign in to comment.