Replace TimeGenerated with EventEndTime in KQL queries for Box workbook

[v-sabiraj]

Required items, please complete

Change(s):

• This change is done as we are doing project-rename for "TimeGenerated" to "EventEndTime"

Reason for Change(s):

• See guidance below

Version Updated:

• Yes

Testing Completed:

• yes

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

Guidance <- remove section before submitting

---

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

• Updated syntax for XYZ.yaml

Reason for Change(s):

• New schema used for XYZ.yaml
• Resolves ISSUE Add Logstash required version to Readme file #1234

Version updated:

• Yes
• Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

• Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[Copilot]

Pull Request Overview

This PR updates the Box solution workbook to use EventEndTime instead of TimeGenerated for time-based filtering in KQL queries, aligning with the standardized time field from the CCP (Codeless Connector Platform) data connector. The changes also include version bumps and metadata updates to reflect this modification.

• Updated all KQL queries in the Box workbook to filter and aggregate on EventEndTime instead of TimeGenerated
• Incremented solution version from 3.1.1 to 3.1.2
• Updated workbook version from 1.0.0 to 1.0.1
• Modified data connector dependency from BoxDataConnector to BoxEventsCCPDefinition

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
Workbooks/WorkbooksMetadata.json	Updated workbook version, data type dependency from BoxEvents_CL to BoxEvents, and connector dependency
Solutions/Box/Workbooks/Box.json	Replaced all TimeGenerated references with EventEndTime in KQL queries throughout the workbook
Solutions/Box/ReleaseNotes.md	Added entry documenting the KQL query updates for version 3.1.2
Solutions/Box/Package/mainTemplate.json	Updated solution version, workbook version, descriptions, and CCP data connector template parameters
Solutions/Box/Package/createUiDefinition.json	Updated data connector text to reference "Box Events (CCP)"
Solutions/Box/Package/3.1.2.zip	Added packaged solution file for new version
Solutions/Box/Data/Solution_Box.json	Incremented solution version to 3.1.2

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent parameter reference syntax. This uses mustache-style {{boxEnterpriseId}} while the rest of the ARM template uses bracket notation [[parameters('boxEnterpriseId')]. ARM templates should consistently use bracket notation for parameter references, not mustache syntax.

Suggested change

	"box_subject_id": "{{boxEnterpriseId}}"
	"box_subject_id": "[parameters('boxEnterpriseId')]"

[v-sudkharat]

Rule creation fail for :
Box - Abmormal user activity
Box - Inactive user login
Box - Many items deleted by user
Box - User logged in as admin
Box - User role changed to owner
Getting error: 'where' operator: Failed to resolve scalar expression named 'TimeGenerated

[v-sudkharat]

@v-sabiraj, Getting similar error for Hunting query as well. Seems like, have to update the Time generated column with updated one

[contentautomationbot]

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

[v-sabiraj]

Rule creation fail for : Box - Abmormal user activity Box - Inactive user login Box - Many items deleted by user Box - User logged in as admin Box - User role changed to owner Getting error: 'where' operator: Failed to resolve scalar expression named 'TimeGenerated

Thanks @v-sudkharat , fixed both Analytic rules and Hunting queries. Thanks.

[v-sudkharat]

Updated changes looks Good