Azure-Sentinel/Solutions/Workplace from Facebook/Parsers/Workplace_Facebook.yaml

id: 77fb2f63-7160-426b-8842-67520c4eddfd
Function:
  Title: Parser for Workplace_Facebook
  Version: '1.0.0'
  LastUpdated: '2023-08-23'
Category: Microsoft Sentinel Parser
FunctionName: Workplace_Facebook
FunctionAlias: Workplace_Facebook
FunctionQuery: |
    let Workplace_Facebook_view = view () {
        Workplace_Facebook_CL 
    | extend tmp = parse_json(entry_s) 
    | mv-expand tmp 
        | extend   
                    EventUid = tmp["id"],
                    EventEndTime = unixtime_seconds_todatetime(tolong(tmp["time"])),
                    Changes = tmp["changes"],
                    EventType = object_s,
                    EventVendor = "Facebook",
                    EventProduct = "Workplace"
        | project-away tmp, entry_s, object_s
    };
    Workplace_Facebook_view