[Slack] Parse Slack File URL

[christophercutajar]

Currently, details.url_private is not being parsed. This field is available when event.action: file_downloaded

Sample document:

{
    "action": "file_downloaded",
    "actor": {
        "type": "user",
        "user": {
            "email": "user.mcuser@abcd.co",
            "id": "2f52269c-4f38-4f08-b56d-c2b968681dbd",
            "name": "User McUser",
            "team": "user-team"
        }
    },
    "context": {
        "ip_address": "81.2.69.144",
        "location": {
            "domain": "domain.tld",
            "id": "eedd1a7d-1a92-418d-8b01-51a4c809d0fb",
            "name": "The Place",
            "type": "workspace"
        },
        "session_id": 913888259765,
        "ua": "com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"
    },
    "date_create": 1683836275,
    "details": {
        "url_private": "https://example.com/"
    },
    "entity": {
        "file": {
            "filetype": "image/png",
            "id": "7edc4c42-f925-47af-979a-22c10e1fefed",
            "name": "image.png",
            "title": "image.png"
        },
        "type": "file"
    },
    "id": "2db28060-1659-4b27-ad55-fdba12e3a7b1"
}

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)