SlackAudit - Unknown User Agent

let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
tactics:
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
alertDetailsOverride:
  alertDisplayNameFormat: Slack audit unknown user agent for {{AccountCustomEntity}}
  alertDescriptionFormat: Slack activity from {{AccountCustomEntity}} used unknown user agent {{UserAgentOriginal}}
id: 3b11f06e-4afd-4ae6-8477-c61136619ac8
severity: Low
status: Available
customDetails:
  Account: AccountCustomEntity
  UserAgent: UserAgentOriginal
query: |
  let lbperiod = 14d;
  let known_UAs = SlackAudit
  | where TimeGenerated > ago(lbperiod)
  | where isnotempty(UserAgentOriginal)
  | summarize makeset(UserAgentOriginal);
  SlackAudit
  | where UserAgentOriginal !in (known_UAs)
  | extend AccountCustomEntity = SrcUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
kind: Scheduled
queryPeriod: 14d
version: 1.0.2
name: SlackAudit - Unknown User Agent
queryFrequency: 24h
triggerThreshold: 0
relevantTechniques:
- T1071
- T1071.001
description: |
  'Detects Slack workspace activity from unknown user agents by comparing recent UserAgentOriginal values against
  a 14d baseline of known user agents.'  
triggerOperator: gt