SlackAudit - User email linked to account changed

SlackAudit
| where TimeGenerated between (ago(14d) .. (1d))
| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
| join (SlackAudit 
      | where Action =~ 'user_login'
      | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
| where NewUserEmail != SrcUserEmail
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

name: SlackAudit - User email linked to account changed.
query: |
  SlackAudit
  | where TimeGenerated between (ago(14d) .. (1d))
  | summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
  | join (SlackAudit 
        | where Action =~ 'user_login'
        | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
  | where NewUserEmail != SrcUserEmail
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml
description: |
    'Detects when user email linked to account changes.'
version: 1.0.0
id: 9d85feb3-7f54-4181-b143-68abb1a86823
kind: Scheduled
relevantTechniques:
- T1078
severity: Medium
tactics:
- InitialAccess
queryPeriod: 14d