Hello, is there any way for the ip address to be copied over to the top... The condition is whenever the root's command doesn't have an ip and is followed by a standard user command's , which is bash with an ip, that ip should be root's too
SPL
index=* (source="/var/log/secure" (TERM(sudo) AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)))
OR (TERM(sudo:) OR TERM(su:) AND("session opened for user root" OR COMMAND=/bin/bash))
OR (TERM(sshd) AND "Accepted password"
[search index=* (source="/var/log/secure" (TERM(sudo) AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd))))
OR (source="/root/.bash_history" AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)))
| regex _raw!= ".*user NOT in sudoers.*"
| stats earliest(_time) as E latest(_time) as latest
| eval earliest = relative_time(E, "-24h@s")
| fields earliest latest]))
OR (source="/root/.bash_history" AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)))
| eval Date = strftime(_time, "%Y-%d-%m")
| eval Time = if(source=="/root/.bash_history",strftime(_time, "%Y-%d-%m %H:%M:%S"),
if(match(_raw,"(?<=sudo:)\s*[[:alnum:]]\S*[[:alnum:]]\s*(?=\:).*(?<=COMMAND\=)*") ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()))
| regex _raw!= ".*user NOT in sudoers.*"
| eval Users = "root"
| eval command = if(source=="/root/.bash_history",_raw,null())
| rex field=_raw "(?<=sudo:)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?P<command>.*)"
| rex field=_raw "(?<=for)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=from).*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)"
| eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","")
| eval time_command = mvzip(Time,'Command/Events')
| stats values(time_command) as Time_Command latest(ip) as "IP Address" by Date Users index host
| mvexpand Time_Command
| makemv Time_Command delim=","
| eval Time=mvindex(Time_Command , 0)
| eval "Command/Events"=mvindex(Time_Command , 1)
| table Time Command/Events host Users "IP Address"
