What Changed
Fixed field name parsing errors in the Slack Audit parser affecting the SlackAuditV2_CL table. Updated field references from dot notation to underscore notation to match the actual JSON structure.
Parser Impact
The parser was attempting to access nested JSON fields using dot notation (entity.channel.is.shared, context.ip.address) when the actual field names use underscores (entity.channel.is_shared, context.ip_address). This mismatch caused affected fields to consistently return null values.
Security Impact (Visibility & Fidelity)
Queries referencing these fields against the Slack Audit parser returned null for all rows — this was a data fidelity gap affecting:
- EntityChannelIsShared/EntityChannelIsOrgShared: Channel sharing status visibility was completely lost, preventing detection of data exfiltration via shared channels
- ContextIpAddress/SrcIpAddr: Source IP address tracking was broken, eliminating geolocation-based anomaly detection and threat correlation
- ContextSessionId: Session tracking was impaired, reducing ability to correlate related user activities
This was not a cosmetic fix — security teams using Slack audit data for insider threat detection, data loss prevention, or geographic access monitoring had critical blind spots.
Affected Files
Solutions/SlackAudit/Parsers/SlackAudit.yaml
(packaging artefacts: mainTemplate.json, Solution_SlackAudit.json, 3.0.5.zip, ReleaseNotes.md)