diff --git a/Solutions/SlackAudit/Package/3.0.5.zip b/Solutions/SlackAudit/Package/3.0.5.zip new file mode 100644 index 00000000000..0621746ba6c Binary files /dev/null and b/Solutions/SlackAudit/Package/3.0.5.zip differ diff --git a/Solutions/SlackAudit/Package/mainTemplate.json b/Solutions/SlackAudit/Package/mainTemplate.json index 85eef479a8e..8b94c429d5b 100644 --- a/Solutions/SlackAudit/Package/mainTemplate.json +++ b/Solutions/SlackAudit/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "SlackAudit", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-slackaudit", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -139,7 +139,7 @@ "_parserName1": "[concat(parameters('workspace'),'/','SlackAudit Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SlackAudit Data Parser')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SlackAudit-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.0.1", "parserContentId1": "SlackAudit-Parser" }, "huntingQueryObject1": { @@ -204,7 +204,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAudit Workbook with template version 3.0.4", + "description": "SlackAudit Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -292,7 +292,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditEmptyUA_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditEmptyUA_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -320,10 +320,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -336,8 +336,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -396,7 +396,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -424,10 +424,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -440,8 +440,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -500,7 +500,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditMultipleFailedLoginsForUser_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditMultipleFailedLoginsForUser_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -528,10 +528,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -544,8 +544,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -604,7 +604,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditSensitiveFile_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditSensitiveFile_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -632,10 +632,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -648,8 +648,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -657,8 +657,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -717,7 +717,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditSuspiciousFileDownloaded_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditSuspiciousFileDownloaded_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -745,10 +745,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -761,8 +761,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -770,8 +770,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileCustomEntity" + "columnName": "FileCustomEntity", + "identifier": "Name" } ], "entityType": "File" @@ -830,7 +830,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUnknownUA_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditUnknownUA_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -858,10 +858,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -874,8 +874,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -934,7 +934,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUserChangedToAdminOrOwner_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditUserChangedToAdminOrOwner_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -962,10 +962,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -980,8 +980,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -1040,7 +1040,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUserEmailChanged_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditUserEmailChanged_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1068,10 +1068,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -1084,8 +1084,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -1093,8 +1093,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -1153,7 +1153,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUserLoginAfterDeactivated_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SlackAuditUserLoginAfterDeactivated_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1181,10 +1181,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SlackAuditAPI", "dataTypes": [ "SlackAudit_CL" - ] + ], + "connectorId": "SlackAuditAPI" } ], "tactics": [ @@ -1199,8 +1199,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } ], "entityType": "Account" @@ -1901,7 +1901,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAudit Data Parser with template version 3.0.4", + "description": "SlackAudit Data Parser with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -1918,7 +1918,7 @@ "displayName": "SlackAudit Data Parser", "category": "Microsoft Sentinel Parser", "functionAlias": "SlackAudit", - "query": "let SlackAudit_view = view () {\nSlackAudit_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''),\n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t\tContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV1_view = view () {\nSlackAuditNativePoller_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''), \n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t ContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', ''),\n EventId=column_ifexists('id_g', ''),\n EventEndTime=column_ifexists('date_create_d', ''),\n DvcAction=column_ifexists('action_s', ''),\n SrcUserIdentity=column_ifexists('actor_user_id_s', ''),\n SrcUserName=column_ifexists('actor_user_name_s', ''),\n SrcUserEmail=column_ifexists('actor_user_email_s', ''),\n UserAgentOriginal=column_ifexists('context_ua_s', ''),\n SrcIpAddr=column_ifexists('context_ip_address_s', ''),\n DvcActionDesc=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV2_view = view () {\nSlackAuditV2_CL\n| extend actor = todynamic(Actor)\n| extend entity = todynamic(Entity)\n| extend context = todynamic(Context)\n| extend details = todynamic(Details)\n| extend\n Id=column_ifexists('Id', ''),\n DateCreate=column_ifexists('DateCreate', ''),\n Action=column_ifexists('Action', ''),\n DetailsMobileOnly=tobool(details.mobile.only),\n DetailsWebOnly=tobool(details.web.only),\n DetailsKickerId=tostring(details.kicker.id),\n DetailsKickerName=tostring(details.kicker.name),\n DetailsKickerEmail=tostring(details.kicker.email),\n DetailsKickerTeam=tostring(details.kicker.team),\n DetailsAppOwnerId=tostring(details.app.owner.id),\n DetailsGranularBotToken=tobool(details.granular.bot.token),\n DetailsNewScopes=tostring(details.new.scopes),\n DetailsPreviousScopes=tostring(details.previous.scopes),\n EntityUsergroupId=tostring(entity.usergroup.id),\n EntityUsergroupName=tostring(entity.usergroup.name),\n DetailsKickerType=tostring(details.kicker.type),\n DetailsKickerUserId=tostring(details.kicker.user.id),\n DetailsKickerUserName=tostring(details.kicker.user.name),\n DetailsKickerUserEmail=tostring(details.kicker.user.email),\n DetailsKickerUserTeam=tostring(details.kicker.user.team),\n DetailsInviterId=tostring(details.inviter.id),\n DetailsInviterName=tostring(details.inviter.name),\n DetailsInviterEmail=tostring(details.inviter.email),\n DetailsInviterTeam=tostring(details.inviter.team),\n DetailsInviterType=tostring(details.inviter.type),\n DetailsInviterUserId=tostring(details.inviter.user.id),\n DetailsInviterUserName=tostring(details.inviter.user.name),\n DetailsInviterUserEmail=tostring(details.inviter.user.email),\n DetailsInviterUserTeam=tostring(details.inviter.user.team),\n DetailsIsWorkflow=tobool(details.is.workflow),\n EntityAppId=tostring(entity.app.id),\n EntityAppName=tostring(entity.app.name),\n EntityAppIsDistributed=tobool(entity.app.is.distributed),\n EntityAppIsDirectoryApproved=tobool(entity.app.is.directory.approved),\n EntityAppIsWorkflowApp=tobool(entity.app.is.workflow.app),\n EntityAppScopes=tostring(entity.app.scopes),\n DetailsIsInternalIntegration=tobool(details.is.internal.integration),\n DetailsBotScopes=tostring(details.bot.scopes),\n EntityChannelId=tostring(entity.channel.id),\n EntityChannelPrivacy=tostring(entity.channel.privacy),\n EntityChannelName=tostring(entity.channel.name),\n EntityChannelIsShared=tobool(entity.channel.is.shared),\n EntityChannelIsOrgShared=tobool(entity.channel.is.org.shared),\n DetailsType=tostring(details.type),\n EntityUserId=tostring(entity.user.id),\n EntityUserName=tostring(entity.user.name),\n EntityUserEmail=tostring(entity.user.email),\n EntityUserTeam=tostring(entity.user.team),\n ActorType=tostring(actor.type),\n ActorUserId=tostring(actor.user.id),\n ActorUserName=tostring(actor.user.name),\n ActorUserEmail=tostring(actor.user.email),\n ActorUserTeam=tostring(actor.user.team),\n EntityType=tostring(entity.type),\n EntityFileId=tostring(entity.file.id),\n EntityFileName=tostring(entity.file.name),\n EntityFileFiletype=tostring(entity.file.filetype),\n EntityFileTitle=tostring(entity['file']['title']),\n ContextLocationType=tostring(context.location.type),\n ContextLocationId=tostring(context.location.id),\n ContextLocationName=tostring(context.location.name),\n ContextLocationDomain=tostring(context.location.domain),\n ContextUA=tostring(context.ua),\n ContextIpAddress=tostring(context.ip.address),\n ContextSessionId=todouble(context.session.id),\n ActionDescription=column_ifexists('ActionDescription', ''),\n EventId=column_ifexists('Id', ''),\n EventEndTime=column_ifexists('DateCreate', ''),\n DvcAction=column_ifexists('Action', ''),\n SrcUserIdentity=tostring(actor.user.id),\n SrcUserName=tostring(actor.user.name),\n SrcUserEmail=tostring(actor.user.email),\n UserAgentOriginal=tostring(context.ua),\n SrcIpAddr=tostring(context.ip.address),\n DvcActionDesc=column_ifexists('ActionDescription', '')\n};\nunion isfuzzy=true\n(SlackAudit_view),\n(SlackAuditV1_view),\n(SlackAuditV2_view) \n| project TimeGenerated, DetailsMobileOnly,DetailsWebOnly, DetailsKickerId, DetailsKickerName, DetailsKickerEmail, DetailsKickerTeam,DetailsAppOwnerId, DetailsGranularBotToken, DetailsNewScopes, DetailsPreviousScopes, EntityUsergroupId, EntityUsergroupName, DetailsKickerType, DetailsKickerUserId, DetailsKickerUserName, DetailsKickerUserEmail, DetailsKickerUserTeam, DetailsInviterId, DetailsInviterName, DetailsInviterEmail, DetailsInviterTeam, DetailsInviterType, DetailsInviterUserId, DetailsInviterUserName, DetailsInviterUserEmail, DetailsInviterUserTeam, DetailsIsWorkflow, EntityAppId, EntityAppName, EntityAppIsDistributed, EntityAppIsDirectoryApproved, EntityAppIsWorkflowApp, EntityAppScopes, DetailsIsInternalIntegration, DetailsBotScopes, EntityChannelId, EntityChannelPrivacy, EntityChannelName, EntityChannelIsShared, EntityChannelIsOrgShared, DetailsType, EntityUserId, EntityUserName, EntityUserEmail, EntityUserTeam, Id, DateCreate, Action, ActorType, ActorUserId, ActorUserName, ActorUserEmail, ActorUserTeam, EntityType, EntityFileId, EntityFileName, EntityFileFiletype, EntityFileTitle, ContextLocationType, ContextLocationId, ContextLocationName, ContextLocationDomain, ContextUA, ContextIpAddress, ContextSessionId, ActionDescription, EventId, EventEndTime, DvcAction, SrcUserIdentity, SrcUserName, SrcUserEmail, UserAgentOriginal, SrcIpAddr, DvcActionDesc\n", + "query": "let SlackAudit_view = view () {\nSlackAudit_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''),\n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t\tContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV1_view = view () {\nSlackAuditNativePoller_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''), \n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t ContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', ''),\n EventId=column_ifexists('id_g', ''),\n EventEndTime=column_ifexists('date_create_d', ''),\n DvcAction=column_ifexists('action_s', ''),\n SrcUserIdentity=column_ifexists('actor_user_id_s', ''),\n SrcUserName=column_ifexists('actor_user_name_s', ''),\n SrcUserEmail=column_ifexists('actor_user_email_s', ''),\n UserAgentOriginal=column_ifexists('context_ua_s', ''),\n SrcIpAddr=column_ifexists('context_ip_address_s', ''),\n DvcActionDesc=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV2_view = view () {\nSlackAuditV2_CL\n| extend actor = todynamic(Actor)\n| extend entity = todynamic(Entity)\n| extend context = todynamic(Context)\n| extend details = todynamic(Details)\n| extend\n Id=column_ifexists('Id', ''),\n DateCreate=column_ifexists('DateCreate', ''),\n Action=column_ifexists('Action', ''),\n DetailsMobileOnly=tobool(details.mobile.only),\n DetailsWebOnly=tobool(details.web.only),\n DetailsKickerId=tostring(details.kicker.id),\n DetailsKickerName=tostring(details.kicker.name),\n DetailsKickerEmail=tostring(details.kicker.email),\n DetailsKickerTeam=tostring(details.kicker.team),\n DetailsAppOwnerId=tostring(details.app.owner.id),\n DetailsGranularBotToken=tobool(details.granular.bot.token),\n DetailsNewScopes=tostring(details.new.scopes),\n DetailsPreviousScopes=tostring(details.previous.scopes),\n EntityUsergroupId=tostring(entity.usergroup.id),\n EntityUsergroupName=tostring(entity.usergroup.name),\n DetailsKickerType=tostring(details.kicker.type),\n DetailsKickerUserId=tostring(details.kicker.user.id),\n DetailsKickerUserName=tostring(details.kicker.user.name),\n DetailsKickerUserEmail=tostring(details.kicker.user.email),\n DetailsKickerUserTeam=tostring(details.kicker.user.team),\n DetailsInviterId=tostring(details.inviter.id),\n DetailsInviterName=tostring(details.inviter.name),\n DetailsInviterEmail=tostring(details.inviter.email),\n DetailsInviterTeam=tostring(details.inviter.team),\n DetailsInviterType=tostring(details.inviter.type),\n DetailsInviterUserId=tostring(details.inviter.user.id),\n DetailsInviterUserName=tostring(details.inviter.user.name),\n DetailsInviterUserEmail=tostring(details.inviter.user.email),\n DetailsInviterUserTeam=tostring(details.inviter.user.team),\n DetailsIsWorkflow=tobool(details.is.workflow),\n EntityAppId=tostring(entity.app.id),\n EntityAppName=tostring(entity.app.name),\n EntityAppIsDistributed=tobool(entity.app.is.distributed),\n EntityAppIsDirectoryApproved=tobool(entity.app.is.directory.approved),\n EntityAppIsWorkflowApp=tobool(entity.app.is.workflow.app),\n EntityAppScopes=tostring(entity.app.scopes),\n DetailsIsInternalIntegration=tobool(details.is.internal.integration),\n DetailsBotScopes=tostring(details.bot.scopes),\n EntityChannelId=tostring(entity.channel.id),\n EntityChannelPrivacy=tostring(entity.channel.privacy),\n EntityChannelName=tostring(entity.channel.name),\n EntityChannelIsShared=tobool(entity.channel.is_shared),\n EntityChannelIsOrgShared=tobool(entity.channel.is_org_shared),\n DetailsType=tostring(details.type),\n EntityUserId=tostring(entity.user.id),\n EntityUserName=tostring(entity.user.name),\n EntityUserEmail=tostring(entity.user.email),\n EntityUserTeam=tostring(entity.user.team),\n ActorType=tostring(actor.type),\n ActorUserId=tostring(actor.user.id),\n ActorUserName=tostring(actor.user.name),\n ActorUserEmail=tostring(actor.user.email),\n ActorUserTeam=tostring(actor.user.team),\n EntityType=tostring(entity.type),\n EntityFileId=tostring(entity.file.id),\n EntityFileName=tostring(entity.file.name),\n EntityFileFiletype=tostring(entity.file.filetype),\n EntityFileTitle=tostring(entity['file']['title']),\n ContextLocationType=tostring(context.location.type),\n ContextLocationId=tostring(context.location.id),\n ContextLocationName=tostring(context.location.name),\n ContextLocationDomain=tostring(context.location.domain),\n ContextUA=tostring(context.ua),\n ContextIpAddress=tostring(context.ip_address),\n ContextSessionId=todouble(context.session_id),\n ActionDescription=column_ifexists('ActionDescription', ''),\n EventId=column_ifexists('Id', ''),\n EventEndTime=column_ifexists('DateCreate', ''),\n DvcAction=column_ifexists('Action', ''),\n SrcUserIdentity=tostring(actor.user.id),\n SrcUserName=tostring(actor.user.name),\n SrcUserEmail=tostring(actor.user.email),\n UserAgentOriginal=tostring(context.ua),\n SrcIpAddr=tostring(context.ip_address),\n DvcActionDesc=column_ifexists('ActionDescription', '')\n};\nunion isfuzzy=true\n(SlackAudit_view),\n(SlackAuditV1_view),\n(SlackAuditV2_view) \n| project TimeGenerated, DetailsMobileOnly,DetailsWebOnly, DetailsKickerId, DetailsKickerName, DetailsKickerEmail, DetailsKickerTeam,DetailsAppOwnerId, DetailsGranularBotToken, DetailsNewScopes, DetailsPreviousScopes, EntityUsergroupId, EntityUsergroupName, DetailsKickerType, DetailsKickerUserId, DetailsKickerUserName, DetailsKickerUserEmail, DetailsKickerUserTeam, DetailsInviterId, DetailsInviterName, DetailsInviterEmail, DetailsInviterTeam, DetailsInviterType, DetailsInviterUserId, DetailsInviterUserName, DetailsInviterUserEmail, DetailsInviterUserTeam, DetailsIsWorkflow, EntityAppId, EntityAppName, EntityAppIsDistributed, EntityAppIsDirectoryApproved, EntityAppIsWorkflowApp, EntityAppScopes, DetailsIsInternalIntegration, DetailsBotScopes, EntityChannelId, EntityChannelPrivacy, EntityChannelName, EntityChannelIsShared, EntityChannelIsOrgShared, DetailsType, EntityUserId, EntityUserName, EntityUserEmail, EntityUserTeam, Id, DateCreate, Action, ActorType, ActorUserId, ActorUserName, ActorUserEmail, ActorUserTeam, EntityType, EntityFileId, EntityFileName, EntityFileFiletype, EntityFileTitle, ContextLocationType, ContextLocationId, ContextLocationName, ContextLocationDomain, ContextUA, ContextIpAddress, ContextSessionId, ActionDescription, EventId, EventEndTime, DvcAction, SrcUserIdentity, SrcUserName, SrcUserEmail, UserAgentOriginal, SrcIpAddr, DvcActionDesc\n", "functionParameters": "", "version": 2, "tags": [ @@ -1968,8 +1968,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "SlackAudit Data Parser", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -1983,7 +1983,7 @@ "displayName": "SlackAudit Data Parser", "category": "Microsoft Sentinel Parser", "functionAlias": "SlackAudit", - "query": "let SlackAudit_view = view () {\nSlackAudit_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''),\n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t\tContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV1_view = view () {\nSlackAuditNativePoller_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''), \n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t ContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', ''),\n EventId=column_ifexists('id_g', ''),\n EventEndTime=column_ifexists('date_create_d', ''),\n DvcAction=column_ifexists('action_s', ''),\n SrcUserIdentity=column_ifexists('actor_user_id_s', ''),\n SrcUserName=column_ifexists('actor_user_name_s', ''),\n SrcUserEmail=column_ifexists('actor_user_email_s', ''),\n UserAgentOriginal=column_ifexists('context_ua_s', ''),\n SrcIpAddr=column_ifexists('context_ip_address_s', ''),\n DvcActionDesc=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV2_view = view () {\nSlackAuditV2_CL\n| extend actor = todynamic(Actor)\n| extend entity = todynamic(Entity)\n| extend context = todynamic(Context)\n| extend details = todynamic(Details)\n| extend\n Id=column_ifexists('Id', ''),\n DateCreate=column_ifexists('DateCreate', ''),\n Action=column_ifexists('Action', ''),\n DetailsMobileOnly=tobool(details.mobile.only),\n DetailsWebOnly=tobool(details.web.only),\n DetailsKickerId=tostring(details.kicker.id),\n DetailsKickerName=tostring(details.kicker.name),\n DetailsKickerEmail=tostring(details.kicker.email),\n DetailsKickerTeam=tostring(details.kicker.team),\n DetailsAppOwnerId=tostring(details.app.owner.id),\n DetailsGranularBotToken=tobool(details.granular.bot.token),\n DetailsNewScopes=tostring(details.new.scopes),\n DetailsPreviousScopes=tostring(details.previous.scopes),\n EntityUsergroupId=tostring(entity.usergroup.id),\n EntityUsergroupName=tostring(entity.usergroup.name),\n DetailsKickerType=tostring(details.kicker.type),\n DetailsKickerUserId=tostring(details.kicker.user.id),\n DetailsKickerUserName=tostring(details.kicker.user.name),\n DetailsKickerUserEmail=tostring(details.kicker.user.email),\n DetailsKickerUserTeam=tostring(details.kicker.user.team),\n DetailsInviterId=tostring(details.inviter.id),\n DetailsInviterName=tostring(details.inviter.name),\n DetailsInviterEmail=tostring(details.inviter.email),\n DetailsInviterTeam=tostring(details.inviter.team),\n DetailsInviterType=tostring(details.inviter.type),\n DetailsInviterUserId=tostring(details.inviter.user.id),\n DetailsInviterUserName=tostring(details.inviter.user.name),\n DetailsInviterUserEmail=tostring(details.inviter.user.email),\n DetailsInviterUserTeam=tostring(details.inviter.user.team),\n DetailsIsWorkflow=tobool(details.is.workflow),\n EntityAppId=tostring(entity.app.id),\n EntityAppName=tostring(entity.app.name),\n EntityAppIsDistributed=tobool(entity.app.is.distributed),\n EntityAppIsDirectoryApproved=tobool(entity.app.is.directory.approved),\n EntityAppIsWorkflowApp=tobool(entity.app.is.workflow.app),\n EntityAppScopes=tostring(entity.app.scopes),\n DetailsIsInternalIntegration=tobool(details.is.internal.integration),\n DetailsBotScopes=tostring(details.bot.scopes),\n EntityChannelId=tostring(entity.channel.id),\n EntityChannelPrivacy=tostring(entity.channel.privacy),\n EntityChannelName=tostring(entity.channel.name),\n EntityChannelIsShared=tobool(entity.channel.is.shared),\n EntityChannelIsOrgShared=tobool(entity.channel.is.org.shared),\n DetailsType=tostring(details.type),\n EntityUserId=tostring(entity.user.id),\n EntityUserName=tostring(entity.user.name),\n EntityUserEmail=tostring(entity.user.email),\n EntityUserTeam=tostring(entity.user.team),\n ActorType=tostring(actor.type),\n ActorUserId=tostring(actor.user.id),\n ActorUserName=tostring(actor.user.name),\n ActorUserEmail=tostring(actor.user.email),\n ActorUserTeam=tostring(actor.user.team),\n EntityType=tostring(entity.type),\n EntityFileId=tostring(entity.file.id),\n EntityFileName=tostring(entity.file.name),\n EntityFileFiletype=tostring(entity.file.filetype),\n EntityFileTitle=tostring(entity['file']['title']),\n ContextLocationType=tostring(context.location.type),\n ContextLocationId=tostring(context.location.id),\n ContextLocationName=tostring(context.location.name),\n ContextLocationDomain=tostring(context.location.domain),\n ContextUA=tostring(context.ua),\n ContextIpAddress=tostring(context.ip.address),\n ContextSessionId=todouble(context.session.id),\n ActionDescription=column_ifexists('ActionDescription', ''),\n EventId=column_ifexists('Id', ''),\n EventEndTime=column_ifexists('DateCreate', ''),\n DvcAction=column_ifexists('Action', ''),\n SrcUserIdentity=tostring(actor.user.id),\n SrcUserName=tostring(actor.user.name),\n SrcUserEmail=tostring(actor.user.email),\n UserAgentOriginal=tostring(context.ua),\n SrcIpAddr=tostring(context.ip.address),\n DvcActionDesc=column_ifexists('ActionDescription', '')\n};\nunion isfuzzy=true\n(SlackAudit_view),\n(SlackAuditV1_view),\n(SlackAuditV2_view) \n| project TimeGenerated, DetailsMobileOnly,DetailsWebOnly, DetailsKickerId, DetailsKickerName, DetailsKickerEmail, DetailsKickerTeam,DetailsAppOwnerId, DetailsGranularBotToken, DetailsNewScopes, DetailsPreviousScopes, EntityUsergroupId, EntityUsergroupName, DetailsKickerType, DetailsKickerUserId, DetailsKickerUserName, DetailsKickerUserEmail, DetailsKickerUserTeam, DetailsInviterId, DetailsInviterName, DetailsInviterEmail, DetailsInviterTeam, DetailsInviterType, DetailsInviterUserId, DetailsInviterUserName, DetailsInviterUserEmail, DetailsInviterUserTeam, DetailsIsWorkflow, EntityAppId, EntityAppName, EntityAppIsDistributed, EntityAppIsDirectoryApproved, EntityAppIsWorkflowApp, EntityAppScopes, DetailsIsInternalIntegration, DetailsBotScopes, EntityChannelId, EntityChannelPrivacy, EntityChannelName, EntityChannelIsShared, EntityChannelIsOrgShared, DetailsType, EntityUserId, EntityUserName, EntityUserEmail, EntityUserTeam, Id, DateCreate, Action, ActorType, ActorUserId, ActorUserName, ActorUserEmail, ActorUserTeam, EntityType, EntityFileId, EntityFileName, EntityFileFiletype, EntityFileTitle, ContextLocationType, ContextLocationId, ContextLocationName, ContextLocationDomain, ContextUA, ContextIpAddress, ContextSessionId, ActionDescription, EventId, EventEndTime, DvcAction, SrcUserIdentity, SrcUserName, SrcUserEmail, UserAgentOriginal, SrcIpAddr, DvcActionDesc\n", + "query": "let SlackAudit_view = view () {\nSlackAudit_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''),\n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t\tContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV1_view = view () {\nSlackAuditNativePoller_CL\n| extend\n DetailsMobileOnly=column_ifexists('details_mobile_only_b', ''), \n \t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n \t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n \t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n \t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n \t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n \t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n \t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n \t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n \t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n \t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n \t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n \t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n \t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n \t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n \t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n \t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n \t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n \t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n \t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n \t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n \t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n \t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n \t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n \t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n \t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n \t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n \t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n \t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n \t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n \t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n \t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n \t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n \t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n \t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n \t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n \t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n \t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n \t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n \t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n \t\tDetailsType=column_ifexists('details_type_s', ''),\n \t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n \t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n \t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n \t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n \t\tId=column_ifexists('id_g', ''),\n \t\tDateCreate=column_ifexists('date_create_d', ''),\n \t\tAction=column_ifexists('action_s', ''),\n \t\tActorType=column_ifexists('actor_type_s', ''),\n \t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n \t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n \t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n \t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n \t\tEntityType=column_ifexists('entity_type_s', ''),\n \t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n \t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n \t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n \t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n \t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n \t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n \t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n \t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n \t\tContextUA=column_ifexists('context_ua_s', ''),\n \t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n \t ContextSessionId=column_ifexists('context_session_id_d', ''),\n \t\tActionDescription=column_ifexists('action_description_s', ''),\n EventId=column_ifexists('id_g', ''),\n EventEndTime=column_ifexists('date_create_d', ''),\n DvcAction=column_ifexists('action_s', ''),\n SrcUserIdentity=column_ifexists('actor_user_id_s', ''),\n SrcUserName=column_ifexists('actor_user_name_s', ''),\n SrcUserEmail=column_ifexists('actor_user_email_s', ''),\n UserAgentOriginal=column_ifexists('context_ua_s', ''),\n SrcIpAddr=column_ifexists('context_ip_address_s', ''),\n DvcActionDesc=column_ifexists('action_description_s', '')\n};\nlet SlackAuditV2_view = view () {\nSlackAuditV2_CL\n| extend actor = todynamic(Actor)\n| extend entity = todynamic(Entity)\n| extend context = todynamic(Context)\n| extend details = todynamic(Details)\n| extend\n Id=column_ifexists('Id', ''),\n DateCreate=column_ifexists('DateCreate', ''),\n Action=column_ifexists('Action', ''),\n DetailsMobileOnly=tobool(details.mobile.only),\n DetailsWebOnly=tobool(details.web.only),\n DetailsKickerId=tostring(details.kicker.id),\n DetailsKickerName=tostring(details.kicker.name),\n DetailsKickerEmail=tostring(details.kicker.email),\n DetailsKickerTeam=tostring(details.kicker.team),\n DetailsAppOwnerId=tostring(details.app.owner.id),\n DetailsGranularBotToken=tobool(details.granular.bot.token),\n DetailsNewScopes=tostring(details.new.scopes),\n DetailsPreviousScopes=tostring(details.previous.scopes),\n EntityUsergroupId=tostring(entity.usergroup.id),\n EntityUsergroupName=tostring(entity.usergroup.name),\n DetailsKickerType=tostring(details.kicker.type),\n DetailsKickerUserId=tostring(details.kicker.user.id),\n DetailsKickerUserName=tostring(details.kicker.user.name),\n DetailsKickerUserEmail=tostring(details.kicker.user.email),\n DetailsKickerUserTeam=tostring(details.kicker.user.team),\n DetailsInviterId=tostring(details.inviter.id),\n DetailsInviterName=tostring(details.inviter.name),\n DetailsInviterEmail=tostring(details.inviter.email),\n DetailsInviterTeam=tostring(details.inviter.team),\n DetailsInviterType=tostring(details.inviter.type),\n DetailsInviterUserId=tostring(details.inviter.user.id),\n DetailsInviterUserName=tostring(details.inviter.user.name),\n DetailsInviterUserEmail=tostring(details.inviter.user.email),\n DetailsInviterUserTeam=tostring(details.inviter.user.team),\n DetailsIsWorkflow=tobool(details.is.workflow),\n EntityAppId=tostring(entity.app.id),\n EntityAppName=tostring(entity.app.name),\n EntityAppIsDistributed=tobool(entity.app.is.distributed),\n EntityAppIsDirectoryApproved=tobool(entity.app.is.directory.approved),\n EntityAppIsWorkflowApp=tobool(entity.app.is.workflow.app),\n EntityAppScopes=tostring(entity.app.scopes),\n DetailsIsInternalIntegration=tobool(details.is.internal.integration),\n DetailsBotScopes=tostring(details.bot.scopes),\n EntityChannelId=tostring(entity.channel.id),\n EntityChannelPrivacy=tostring(entity.channel.privacy),\n EntityChannelName=tostring(entity.channel.name),\n EntityChannelIsShared=tobool(entity.channel.is_shared),\n EntityChannelIsOrgShared=tobool(entity.channel.is_org_shared),\n DetailsType=tostring(details.type),\n EntityUserId=tostring(entity.user.id),\n EntityUserName=tostring(entity.user.name),\n EntityUserEmail=tostring(entity.user.email),\n EntityUserTeam=tostring(entity.user.team),\n ActorType=tostring(actor.type),\n ActorUserId=tostring(actor.user.id),\n ActorUserName=tostring(actor.user.name),\n ActorUserEmail=tostring(actor.user.email),\n ActorUserTeam=tostring(actor.user.team),\n EntityType=tostring(entity.type),\n EntityFileId=tostring(entity.file.id),\n EntityFileName=tostring(entity.file.name),\n EntityFileFiletype=tostring(entity.file.filetype),\n EntityFileTitle=tostring(entity['file']['title']),\n ContextLocationType=tostring(context.location.type),\n ContextLocationId=tostring(context.location.id),\n ContextLocationName=tostring(context.location.name),\n ContextLocationDomain=tostring(context.location.domain),\n ContextUA=tostring(context.ua),\n ContextIpAddress=tostring(context.ip_address),\n ContextSessionId=todouble(context.session_id),\n ActionDescription=column_ifexists('ActionDescription', ''),\n EventId=column_ifexists('Id', ''),\n EventEndTime=column_ifexists('DateCreate', ''),\n DvcAction=column_ifexists('Action', ''),\n SrcUserIdentity=tostring(actor.user.id),\n SrcUserName=tostring(actor.user.name),\n SrcUserEmail=tostring(actor.user.email),\n UserAgentOriginal=tostring(context.ua),\n SrcIpAddr=tostring(context.ip_address),\n DvcActionDesc=column_ifexists('ActionDescription', '')\n};\nunion isfuzzy=true\n(SlackAudit_view),\n(SlackAuditV1_view),\n(SlackAuditV2_view) \n| project TimeGenerated, DetailsMobileOnly,DetailsWebOnly, DetailsKickerId, DetailsKickerName, DetailsKickerEmail, DetailsKickerTeam,DetailsAppOwnerId, DetailsGranularBotToken, DetailsNewScopes, DetailsPreviousScopes, EntityUsergroupId, EntityUsergroupName, DetailsKickerType, DetailsKickerUserId, DetailsKickerUserName, DetailsKickerUserEmail, DetailsKickerUserTeam, DetailsInviterId, DetailsInviterName, DetailsInviterEmail, DetailsInviterTeam, DetailsInviterType, DetailsInviterUserId, DetailsInviterUserName, DetailsInviterUserEmail, DetailsInviterUserTeam, DetailsIsWorkflow, EntityAppId, EntityAppName, EntityAppIsDistributed, EntityAppIsDirectoryApproved, EntityAppIsWorkflowApp, EntityAppScopes, DetailsIsInternalIntegration, DetailsBotScopes, EntityChannelId, EntityChannelPrivacy, EntityChannelName, EntityChannelIsShared, EntityChannelIsOrgShared, DetailsType, EntityUserId, EntityUserName, EntityUserEmail, EntityUserTeam, Id, DateCreate, Action, ActorType, ActorUserId, ActorUserName, ActorUserEmail, ActorUserTeam, EntityType, EntityFileId, EntityFileName, EntityFileFiletype, EntityFileTitle, ContextLocationType, ContextLocationId, ContextLocationName, ContextLocationDomain, ContextUA, ContextIpAddress, ContextSessionId, ActionDescription, EventId, EventEndTime, DvcAction, SrcUserIdentity, SrcUserName, SrcUserEmail, UserAgentOriginal, SrcIpAddr, DvcActionDesc\n", "functionParameters": "", "version": 2, "tags": [ @@ -2033,7 +2033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditApplicationsInstalled_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditApplicationsInstalled_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2118,7 +2118,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditDeactivatedUsers_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditDeactivatedUsers_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2203,7 +2203,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditDownloadedFilesByUser_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditDownloadedFilesByUser_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2288,7 +2288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditFailedLoginsUnknownUsername_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditFailedLoginsUnknownUsername_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2373,7 +2373,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditNewUsers_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditNewUsers_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2458,7 +2458,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditSuspiciousFilesDownloaded_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditSuspiciousFilesDownloaded_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2543,7 +2543,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUploadedFilesByUser_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditUploadedFilesByUser_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2628,7 +2628,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUserLoginsByIP_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditUserLoginsByIP_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2713,7 +2713,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUserPermissionsChanged_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditUserPermissionsChanged_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2798,7 +2798,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2879,7 +2879,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SlackAudit", diff --git a/Solutions/SlackAudit/Parsers/SlackAudit.yaml b/Solutions/SlackAudit/Parsers/SlackAudit.yaml index b5378113d9e..8bf8a1898b8 100644 --- a/Solutions/SlackAudit/Parsers/SlackAudit.yaml +++ b/Solutions/SlackAudit/Parsers/SlackAudit.yaml @@ -1,8 +1,8 @@ id: fb5aaeb6-14fa-45e8-bb4a-6d4c642a710e Function: Title: Parser for SlackAudit - Version: "1.0.0" - LastUpdated: "2023-08-23" + Version: "1.0.1" + LastUpdated: "2025-12-12" Category: Microsoft Sentinel Parser FunctionName: SlackAudit FunctionAlias: SlackAudit @@ -204,8 +204,8 @@ FunctionQuery: | EntityChannelId=tostring(entity.channel.id), EntityChannelPrivacy=tostring(entity.channel.privacy), EntityChannelName=tostring(entity.channel.name), - EntityChannelIsShared=tobool(entity.channel.is.shared), - EntityChannelIsOrgShared=tobool(entity.channel.is.org.shared), + EntityChannelIsShared=tobool(entity.channel.is_shared), + EntityChannelIsOrgShared=tobool(entity.channel.is_org_shared), DetailsType=tostring(details.type), EntityUserId=tostring(entity.user.id), EntityUserName=tostring(entity.user.name), @@ -226,8 +226,8 @@ FunctionQuery: | ContextLocationName=tostring(context.location.name), ContextLocationDomain=tostring(context.location.domain), ContextUA=tostring(context.ua), - ContextIpAddress=tostring(context.ip.address), - ContextSessionId=todouble(context.session.id), + ContextIpAddress=tostring(context.ip_address), + ContextSessionId=todouble(context.session_id), ActionDescription=column_ifexists('ActionDescription', ''), EventId=column_ifexists('Id', ''), EventEndTime=column_ifexists('DateCreate', ''), @@ -236,7 +236,7 @@ FunctionQuery: | SrcUserName=tostring(actor.user.name), SrcUserEmail=tostring(actor.user.email), UserAgentOriginal=tostring(context.ua), - SrcIpAddr=tostring(context.ip.address), + SrcIpAddr=tostring(context.ip_address), DvcActionDesc=column_ifexists('ActionDescription', '') }; union isfuzzy=true diff --git a/Solutions/SlackAudit/ReleaseNotes.md b/Solutions/SlackAudit/ReleaseNotes.md index 8956e89a7bf..fa4c857c887 100644 --- a/Solutions/SlackAudit/ReleaseNotes.md +++ b/Solutions/SlackAudit/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.5 | 12-12-2025 | Updated the **Parser** yaml file. | | 3.0.4 | 28-07-2025 | Removed Deprecated **Data Connector**. | | 3.0.3 | 30-06-2025 | Moving **CCF Data Connector** to GA. | | 3.0.2 | 30-05-2025 | Preview tag added to **CCF Data Connector**. | diff --git a/Solutions/SlackAudit/data/Solution_SlackAudit.json b/Solutions/SlackAudit/data/Solution_SlackAudit.json index 96c4699134b..abefa824237 100644 --- a/Solutions/SlackAudit/data/Solution_SlackAudit.json +++ b/Solutions/SlackAudit/data/Solution_SlackAudit.json @@ -38,7 +38,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SlackAudit", - "Version": "3.0.0", + "Version": "3.0.5", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file