From 7e99b78acca4d5ef4abcd24536e8d9b36f1f9713 Mon Sep 17 00:00:00 2001
From: Mahir Chavda <mahir.chavda13@gmail.com>
Date: Wed, 28 Jun 2023 21:52:14 +0530
Subject: [PATCH] Add changes field in the main alert

---
 cyences_app_for_splunk/default/savedsearches.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index 9b216e83..3b6d1d30 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -4075,7 +4075,7 @@ request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
 search = | inputlookup cs_linux_users \
 | addinfo | where _time>=info_min_time and _time <info_max_time \
-| table host UID _time USERNAME COMMAND_SHELL HOME_DIR SUDOACCESS USER_INFO GID status \
+| table host UID _time USERNAME COMMAND_SHELL HOME_DIR SUDOACCESS USER_INFO GID status changes \
 | eval cyences_severity = case(UID=0, "high",1=1, "medium") \
 | `cs_change_in_user_linux_filter`
 action.cyences_notable_event_action = 1
@@ -4109,7 +4109,7 @@ request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
 search = | inputlookup cs_linux_groups \
 | addinfo | where _time>=info_min_time and _time <info_max_time \
-| table _time host group_name users status \
+| table _time host group_name users status changes \
 | eval cyences_severity = case(group_name="root", "high",1=1, "medium") \
 | `cs_change_in_group_of_linux_filter`
 action.cyences_notable_event_action = 1