Forum Discussion
Query All Logs/sources for Credit Card Numbers
We thought this might be something that Microsoft Sentinel could have some built in functionality for but seems we cannot find it. We are looking to be able to query all of our log sources for any cr...
Hello. You can use union just not with the wildcard "*".
Option 1:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/MultipleDataSources/HostAADCorrelation.yaml#L69
Option2:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/SecurityEvent/SolorigateNamedPipe.yaml#L31
None of the above are ideal as you need to name the tables in the KQL - there is a partial workaround whereby you auto create the Table list in a watchlist (maybe daily) and use that in the query.
Option 3: Personally, I'd run a Playbook and use the union * in there (which doesnt have the limitation when you run it as a rule). Its not particularly efficient, so make sure these dont run too frequently and have time to process.
I use this to find txt in a column (for named Tables, I've not tried it with union)
let srch = "User"; // search for
search in (SigninLogs) srch // Table to search in
| evaluate narrow()
| where Value contains srch // also try "has" for better efficiency rather than "contains"
| summarize count() by Column, txtFound = srch, Value
Option 1:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/MultipleDataSources/HostAADCorrelation.yaml#L69
Option2:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/SecurityEvent/SolorigateNamedPipe.yaml#L31
None of the above are ideal as you need to name the tables in the KQL - there is a partial workaround whereby you auto create the Table list in a watchlist (maybe daily) and use that in the query.
Option 3: Personally, I'd run a Playbook and use the union * in there (which doesnt have the limitation when you run it as a rule). Its not particularly efficient, so make sure these dont run too frequently and have time to process.
I use this to find txt in a column (for named Tables, I've not tried it with union)
let srch = "User"; // search for
search in (SigninLogs) srch // Table to search in
| evaluate narrow()
| where Value contains srch // also try "has" for better efficiency rather than "contains"
| summarize count() by Column, txtFound = srch, Value
- Thank you! Your "| evaluate narrow()" officially made the query. I think it might be beneficial to even publish this to the Azure Sentinel Github instance as it could be utilized by anyone who want's to search their log sources for PAN!
Thanks again for your assistance here!Could you share the full code you used for this search? analyst1900
