Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Data discovery, reporting and analytics for all your data with Microsoft Information Protection
Published Sep 26 2018 07:18 AM 43.1K Views
Microsoft

 

Gain visibility into sensitive data across your organization with Azure Information Protection analytics

 

The information protection lifecycle wouldn’t be complete without the ability to understand the state of your sensitive data – along with the ability to remediate potential issues. Today we are announcing the public preview of Azure Information Protection analytics, which gives you insights into labeled and protected documents and emails across your organization. Those insights now become possible as a result of sending information protection audit events from Azure Information Protection clients and scanner to a centralized location based on Azure Log Analytics service. 

 

 

The Usage report dashboard provides information on the volume labeled and protected documents and emails over time, label distribution of files by label type, along with where the label was applied.

 

AIP usage report.png

Azure Information Protection analytics gives you better visibility into your labeled and protected files.

 

 

The data discovery dashboard provides information on the location of sensitive data within your organization, such as: location of documents labeled as confidential, data containing GDPR, PCI and other highly regulated information.

 

You can drill into file repositories (scanned by the Azure Information Protection scanner) to inspect where sensitive data resides, as well as what sensitive content they contain (such as financial info, PII or other information based on content inspection).

  

AIP data discovery.png

Azure Information Protection analytics gives you better visibility into where your sensitive data resides across file repositories and endpoint devices.

 

 

If you wish to inspect audit raw data, export the result to Excel or PowerBI, or write your own custom queries, you can do so by clicking on the Log Analytics icon from the dashboard. AIP audit log data is stored in table: InformationProtectionLogs_CL.

 

AIP log analytics.png

Azure Log Analytics view of AIP audit logs allows you to inspect the raw data and write your own queries.

 

 

Prerequisites for Azure Information Protection analytics preview

To view the Azure Information Protection reports, make sure that the following requirements are in place.

 

 

Requirement

More information

An Azure subscription that includes Log Analytics

See the Azure Log Analytics pricing page.

If you do not have an Azure subscription or you do not currently use Azure Log Analytics, this page includes a link for a free trial.

Azure Information Protection client v1.41.51.0 or above

If you haven't already installed the current preview version of the client, you can download and install it from the Microsoft Download Center.

For the Discovery report:

- You have deployed the Azure Information Protection scanner

For installation instructions, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

If you are upgrading from a previous version of the scanner, see Upgrading the Azure Information Protection scanner.

 

By now, you might be wondering what these dashboards look like with data collected from your own endpoints. Get the prerequisites squared away, and then head over to the Azure portal to have a look. If you need more information, see our new documentation, Central reporting for Azure Information Protection.

 

We look forward to your feedback!

 

Azure Information Protection team

 

 

 

17 Comments
Copper Contributor

How does the a scanner get recognized under the Node blade?  I currently have a scanner configured and running, however, it does not appear under the node blade.

 

Node Preview Blade.PNG

 

Rob

Microsoft

Hi Robert,

Thank you for your input. AIP scanner node blade requires AIP version 1.37.19.0 and up. If the issue still persists, please open a support ticket.

Regards,

Lior

Copper Contributor

I am using scanner version 1.37.19.0. The scanner does show up under the Nodes menu. However, after doing a scan on a share it does not show up in the data discovery in the location area. Is there something I am missing? Thanks

Copper Contributor

Hi Lior, 

 

Great Job! Happy to partner with you guys, by adding to the AIP/MIP even further advanced querying, GDPR/CCPA and policy enforcement (even for Mac and Linux!)

 

Guy Leibovitz (Cognigo)

Copper Contributor

Hello, 

 

how do i "Reset" the results, 

for example i changed the policy and running the scanner again and i want to "reset" the dashboard to only show the new results ? 

 

Microsoft

Hi,

You would have to re-run AIP scanner on the same repositories and you will see the latest results in AIP Discovery blade.

Copper Contributor

Thank you

 

but running the scanner again wont "delete" the previous info in the dashboard, how do you " reset the dashboard " ?

Brass Contributor

If I want to use Analytics for Azure Information Protection, does it need to azure subscription?

I am now using Microsoft 365 E5 License for making AIP environment, but it looks difficult to know without Analytics checking file activity adapted AIP policy. Do you have any way to use these features on AIP?


Copper Contributor

Is there a way to report on the number of users/machines that have installed the AIP client within your organization?

Copper Contributor

I too couldn't get the node to be recognized. The Get-AIPstatus returned an error. Looking deeper into the Event Logs, it indicated a valid profile could not be found. Creating a profile (next item under Nodes) with the same name as the server resolved the issue. 

Microsoft

You have to create a profile in the Azure portal in order to define what scanner should do and how it should work (enforce/discovery etc.). If you didn't use the -profile parameter when you installed the scanner, scanner node name is used as a profile name. Read more about it at https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner#configure-the-scann...

Copper Contributor

hello @Lior Lukov 

with AIP P1 licensing, can we see the data discovery along with its labeling i.e information types as well as their mapping with labels? I understand that with P1, we cant enforce auto labeling. 

Copper Contributor

Hello, with this solution, is it possible to see the endpoint, but is it possible to see the  cloud location ( Onedrive & Sharepoint) ?

 

Ali

Brass Contributor

@Lior Lukov 

When we enable "Send information type matches to Azure Information Protection analytics" in UL, the Azure Information Protection lets you collect and store the actual data that's identified as being a sensitive information type (predefined or custom). For example, this can include credit card numbers that are found, as well as social security numbers, passport numbers, and bank account numbers.

So the question is are there any way to find how this sensitive information actually gets stored in azure, eg - Credit card number - with or without a mask, etc. 

Any query please I checked on the InformationProtectionLogs_CL but couldn't find the actual data (sensitive information eg- actual credit card number )

 

Thanks.

Bronze Contributor

Hello @Lior Lukov 

I would like to know if that is possible to get the query in Log Analytics allowing to get the data presented here

ChristopheHumbert_0-1612262914750.png

Thanks in advance

Microsoft

Hi @ChristopheHumbert . You can see the queries that we run when opening developer mode (F12 on keyboard). Then you can see the query on the request. Next step is to copy value and run it in log analytics (please make sure customer cleans extra spaces).

 

Anyway, this is the query that we run to get the requested report:

 

InformationProtectionLogs_CL

| extend Activity_s = columnifexists("Activity_s", ""), ActionSource_s = columnifexists("ActionSource_s", ""), LabelName_s = columnifexists("LabelName_s", ""), LabelNameBefore_s = columnifexists("LabelNameBefore_s", ""), LabelId_g = columnifexists("LabelId_g", ""), Operation_s = columnifexists("Operation_s", ""), TemplateId_g = columnifexists("TemplateId_g", ""), ProtectionBefore_g = columnifexists("ProtectionBefore_g", ""), ProtectionType_s = columnifexists("ProtectionType_s", ""), ObjectId_s = columnifexists("ObjectId_s", ""), ProcessName_s = columnifexists("ProcessName_s", ""), Workload_s = columnifexists("Workload_s", ""), Location_s = columnifexists("Location_s", ""), ActionId_g = columnifexists("ActionId_g", ""), UserId_s = columnifexists("UserId_s", ""), MachineName_s = columnifexists("MachineName_s", ""), IPv4_s = columnifexists("IPv4_s", ""), DeviceRisk_s = columnifexists("DeviceRisk_s", ""), Platform_s = columnifexists("Platform_s", ""), ApplicationName_s = columnifexists("ApplicationName_s", ""), ApplicationId_g = columnifexists("ApplicationId_g", ""), UserJustification_s = columnifexists("UserJustification_s", ""), MachineId_s = columnifexists("MachineId_s", ""), LogId_g = columnifexists("LogId_g", ""), ActionIdBefore_g = columnifexists("ActionIdBefore_g", ""), LastModifiedBy_s = columnifexists("LastModifiedBy_s", ""), ContentId_g = columnifexists("ContentId_g", ""), MatchedLabelName_s = columnifexists("MatchedLabelName_s", ""), RecommendedLabelName_s = columnifexists("RecommendedLabelName_s", ""), RecommendedLabelId_g = columnifexists("RecommendedLabelId_g", ""), MatchedLabelId_g = columnifexists("MatchedLabelId_g", ""), ProtectionOwnerBefore_s = columnifexists("ProtectionOwnerBefore_s", ""), ProtectionOwner_s = columnifexists("ProtectionOwner_s", ""), ProductVersion_s = columnifexists("ProductVersion_s", ""), ProtectionTypeBefore_s = columnifexists("ProtectionTypeBefore_s", ""), ResultStatus_s = columnifexists("ResultStatus_s", ""), ErrorMessage_s = columnifexists("ErrorMessage_s", ""), Protected_b = columnifexists("Protected_b", false), ProtectedBeforeAction_b = columnifexists("ProtectedBeforeAction_b", false), InformationTypes_s = columnifexists("InformationTypes_s", "[]"), MatchedRules_s = columnifexists("MatchedRules_s", "[]"), InformationTypesAbove55_s = columnifexists("InformationTypesAbove55_s", "[]"), InformationTypesAbove65_s = columnifexists("InformationTypesAbove65_s", "[]"), InformationTypesAbove75_s = columnifexists("InformationTypesAbove75_s", "[]"), InformationTypesAbove85_s = columnifexists("InformationTypesAbove85_s", "[]"), InformationTypesAbove95_s = columnifexists("InformationTypesAbove95_s", "[]"), DiscoveredInformationTypes_s = columnifexists("DiscoveredInformationTypes_s", "[]"), ProtectionTime_t = columnifexists("ProtectionTime_t", datetime(null)), LastModifiedDate_t = columnifexists("LastModifiedDate_t", datetime(null)) 

| where TimeGenerated >= ago(31d)

| where isnotempty(InformationTypes_s)

| where ApplicationName_s !~ "Microsoft Cloud App Security"

| where isnotempty(ObjectId_s)

| extend uniqeId = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)

| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by uniqeId

| where Operation_s !~ "FileDeleted"

| where TimeGenerated > ago(31d)

| extend dynamicInformationTypes_s = todynamic(InformationTypes_s)

| where isempty(dynamicInformationTypes_s) or InformationTypes_s == "[]" or dynamicInformationTypes_s has "12Digits" or dynamicInformationTypes_s has "ABA Routing Number" or dynamicInformationTypes_s has "Argentina National Identity (DNI) Number" or dynamicInformationTypes_s has "Australia Bank Account Number" or dynamicInformationTypes_s has "Australia Driver's License Number" or dynamicInformationTypes_s has "Australia Drivers License Number (v2)" or dynamicInformationTypes_s has "Australia Medical Account Number" or dynamicInformationTypes_s has "Australia Passport Number" or dynamicInformationTypes_s has "Australia Tax File Number" or dynamicInformationTypes_s has "Australian Business Number" or dynamicInformationTypes_s has "Australian Company Number" or dynamicInformationTypes_s has "Austria Driver's License Number" or dynamicInformationTypes_s has "Austria Identity Card" or dynamicInformationTypes_s has "Austria Passport Number" or dynamicInformationTypes_s has "Austria Social Security Number" or dynamicInformationTypes_s has "Austria Tax Identification Number" or dynamicInformationTypes_s has "Austria Value Added Tax (VAT) Number" or dynamicInformationTypes_s has "Azure DocumentDB Auth Key" or dynamicInformationTypes_s has "Azure IAAS Database Connection String and Azure SQL Connection String" or dynamicInformationTypes_s has "Azure IoT Connection String" or dynamicInformationTypes_s has "Azure Publish Setting Password" or dynamicInformationTypes_s has "Azure Redis Cache Connection String" or dynamicInformationTypes_s has "Azure SAS" or dynamicInformationTypes_s has "Azure Service Bus Connection String" or dynamicInformationTypes_s has "Azure Storage Account Key" or dynamicInformationTypes_s has "Azure Storage Account Key (Generic)" or dynamicInformationTypes_s has "Belgium Driver's License Number" or dynamicInformationTypes_s has "Belgium National Number" or dynamicInformationTypes_s has "Belgium Passport Number" or dynamicInformationTypes_s has "Belgium Value Added Tax Number" or dynamicInformationTypes_s has "Brazil CPF Number" or dynamicInformationTypes_s has "Brazil Legal Entity Number (CNPJ)" or dynamicInformationTypes_s has "Brazil National ID Card (RG)" or dynamicInformationTypes_s has "Bulgaria Driver's License Number" or dynamicInformationTypes_s has "Bulgaria Passport Number" or dynamicInformationTypes_s has "Bulgaria Uniform Civil Number" or dynamicInformationTypes_s has "CSCAN-AZURE0060 Azure Storage Account Shared Access Signature" or dynamicInformationTypes_s has "CSCAN-AZURE0100 Azure DevOps Personal Access Token" or dynamicInformationTypes_s has "CSCAN-AZURE0130 Azure Shared Access Key / Web Hook Token" or dynamicInformationTypes_s has "CSCAN-AZURE0140 Azure AD Client Access Token" or dynamicInformationTypes_s has "CSCAN-GENERAL0020 X.509 Certificate Private Key" or dynamicInformationTypes_s has "CSCAN-GENERAL0030 User Login Credentials" or dynamicInformationTypes_s has "CSCAN-GENERAL0050 ASP.NET Machine Key" or dynamicInformationTypes_s has "CSCAN-GENERAL0060 General Password" or dynamicInformationTypes_s has "CSCAN-GENERAL0120 Http Authorization Header" or dynamicInformationTypes_s has "CSCAN-GENERAL0130 Client Secret / Api Key" or dynamicInformationTypes_s has "CSCAN-GENERAL0140 General Symmetric Key" or dynamicInformationTypes_s has "CSCAN-MSFT0020 Moniker Agent Storage Account Key" or dynamicInformationTypes_s has "CSCAN-MSFT0030 Legacy Geneva Resource Access Key" or dynamicInformationTypes_s has "Canada Bank Account Number" or dynamicInformationTypes_s has "Canada Driver's License Number" or dynamicInformationTypes_s has "Canada Health Service Number" or dynamicInformationTypes_s has "Canada Passport Number" or dynamicInformationTypes_s has "Canada Personal Health Identification Number (PHIN)" or dynamicInformationTypes_s has "Canada Social Insurance Number" or dynamicInformationTypes_s has "Chile Identity Card Number" or dynamicInformationTypes_s has "China Resident Identity Card (PRC) Number" or dynamicInformationTypes_s has "Credit Card Number" or dynamicInformationTypes_s has "Credit Card Number (v2)" or dynamicInformationTypes_s has "Croatia Driver's License Number" or dynamicInformationTypes_s has "Croatia National ID Card Number" or dynamicInformationTypes_s has "Croatia Passport Number" or dynamicInformationTypes_s has "Croatia Personal Identification (OIB) Number" or dynamicInformationTypes_s has "Cyprus Driver's License Number" or dynamicInformationTypes_s has "Cyprus Identity Card" or dynamicInformationTypes_s has "Cyprus Tax Identification Number" or dynamicInformationTypes_s has "Czech National Identity Card Number" or dynamicInformationTypes_s has "Czech Republic Passport Number" or dynamicInformationTypes_s has "Denmark Driver's License Number" or dynamicInformationTypes_s has "Denmark Passport Number" or dynamicInformationTypes_s has "Denmark Personal Identification Number" or dynamicInformationTypes_s has "Drug Enforcement Agency (DEA) Number" or dynamicInformationTypes_s has "EU Debit Card Number" or dynamicInformationTypes_s has "EU Driver's License Number" or dynamicInformationTypes_s has "EU GPS Coordinates" or dynamicInformationTypes_s has "EU Mobile Phone Number" or dynamicInformationTypes_s has "EU National Identification Number" or dynamicInformationTypes_s has "EU Passport Number" or dynamicInformationTypes_s has "EU Phone Number" or dynamicInformationTypes_s has "EU Social Security Number (SSN) or Equivalent ID" or dynamicInformationTypes_s has "EU Tax Identification Number (TIN)" or dynamicInformationTypes_s has "Estonia Passport Number" or dynamicInformationTypes_s has "Estonia Personal Identification Code" or dynamicInformationTypes_s has "Finland Driver's License Number" or dynamicInformationTypes_s has "Finland National ID" or dynamicInformationTypes_s has "Finland Passport Number" or dynamicInformationTypes_s has "Finland Passport Number (v2)" or dynamicInformationTypes_s has "France Driver's License Number" or dynamicInformationTypes_s has "France National ID Card (CNI)" or dynamicInformationTypes_s has "France Social Security Number (INSEE)" or dynamicInformationTypes_s has "France Social Security Number (INSEE) (v2)" or dynamicInformationTypes_s has "France Tax Identification Number (numéro SPI.)" or dynamicInformationTypes_s has "France Value Added Tax Number" or dynamicInformationTypes_s has "German Driver's License Number" or dynamicInformationTypes_s has "German Passport Number" or dynamicInformationTypes_s has "Germany Identity Card Number" or dynamicInformationTypes_s has "Germany Tax Identification Number" or dynamicInformationTypes_s has "Germany Value Added Tax Number" or dynamicInformationTypes_s has "Greece Driver's License Number" or dynamicInformationTypes_s has "Greece National ID Card" or dynamicInformationTypes_s has "Greece Passport Number" or dynamicInformationTypes_s has "Greece Social Security Number (AMKA)" or dynamicInformationTypes_s has "Greek Tax identification Number" or dynamicInformationTypes_s has "Hong Kong Identity Card (HKID) Number" or dynamicInformationTypes_s has "Hungarian Social Security Number (TAJ)" or dynamicInformationTypes_s has "Hungary Driver's License Number" or dynamicInformationTypes_s has "Hungary Passport Number" or dynamicInformationTypes_s has "Hungary Personal Identification Number" or dynamicInformationTypes_s has "Hungary Tax identification Number" or dynamicInformationTypes_s has "IP Address" or dynamicInformationTypes_s has "IP Address v4" or dynamicInformationTypes_s has "IP Address v6" or dynamicInformationTypes_s has "India Permanent Account Number (PAN)" or dynamicInformationTypes_s has "India Unique Identification (Aadhaar) Number" or dynamicInformationTypes_s has "Indonesia Identity Card (KTP) Number" or dynamicInformationTypes_s has "International Banking Account Number (IBAN)" or dynamicInformationTypes_s has "Ireland Passport Number" or dynamicInformationTypes_s has "Ireland Personal Public Service (PPS) Number" or dynamicInformationTypes_s has "Israel Bank Account Number" or dynamicInformationTypes_s has "Israel National ID" or dynamicInformationTypes_s has "Italy Driver's License Number" or dynamicInformationTypes_s has "Italy Driver's License Number (v2)" or dynamicInformationTypes_s has "Italy Passport Number" or dynamicInformationTypes_s has "Italy Value Added Tax Number" or dynamicInformationTypes_s has "Japan Bank Account Number" or dynamicInformationTypes_s has "Japan Driver's License Number" or dynamicInformationTypes_s has "Japan Passport Number" or dynamicInformationTypes_s has "Japan Resident Registration Number" or dynamicInformationTypes_s has "Japan Social Insurance Number (SIN)" or dynamicInformationTypes_s has "Japanese My Number Corporate" or dynamicInformationTypes_s has "Japanese My Number Personal" or dynamicInformationTypes_s has "Japanese Residence Card Number" or dynamicInformationTypes_s has "Latvia Driver's License Number" or dynamicInformationTypes_s has "Latvia Personal Code" or dynamicInformationTypes_s has "Lithuania Driver's License Number" or dynamicInformationTypes_s has "Lithuania Passport Number" or dynamicInformationTypes_s has "Lithuania Personal Code" or dynamicInformationTypes_s has "Luxemburg Driver's License Number" or dynamicInformationTypes_s has "Luxemburg National Identification Number (Natural persons)" or dynamicInformationTypes_s has "Luxemburg National Identification Number (Non-natural persons)" or dynamicInformationTypes_s has "Luxemburg Passport Number" or dynamicInformationTypes_s has "Malaysia Identity Card Number" or dynamicInformationTypes_s has "Malta Driver's License Number" or dynamicInformationTypes_s has "Malta Identity Card Number" or dynamicInformationTypes_s has "Malta Passport Number" or dynamicInformationTypes_s has "Malta Tax ID Number" or dynamicInformationTypes_s has "Medicare Beneficiary Identifier (MBI) card" or dynamicInformationTypes_s has "Microsoft Confidential" or dynamicInformationTypes_s has "Netherlands Citizen's Service (BSN) Number" or dynamicInformationTypes_s has "Netherlands Driver's License Number" or dynamicInformationTypes_s has "Netherlands Passport Number" or dynamicInformationTypes_s has "Netherlands Tax Identification Number" or dynamicInformationTypes_s has "Netherlands Value Added Tax Number" or dynamicInformationTypes_s has "New Zealand Driver License Number" or dynamicInformationTypes_s has "New Zealand Inland Revenue number" or dynamicInformationTypes_s has "New Zealand Ministry of Health Number" or dynamicInformationTypes_s has "New Zealand Social Welfare Number" or dynamicInformationTypes_s has "New Zealand bank account number" or dynamicInformationTypes_s has "Norway Identity Number" or dynamicInformationTypes_s has "Philippines Unified Multi-Purpose ID Number" or dynamicInformationTypes_s has "Poland Identity Card" or dynamicInformationTypes_s has "Poland National ID (PESEL)" or dynamicInformationTypes_s has "Poland Passport Number (v2)" or dynamicInformationTypes_s has "Poland Tax Identification Number" or dynamicInformationTypes_s has "Polish REGON Number" or dynamicInformationTypes_s has "Portugal Citizen Card Number" or dynamicInformationTypes_s has "Portugal Passport Number" or dynamicInformationTypes_s has "Portugal Tax Identification Number" or dynamicInformationTypes_s has "Romania Driver's License Number" or dynamicInformationTypes_s has "Romania Passport Number" or dynamicInformationTypes_s has "Romania Personal Numerical Code (CNP)" or dynamicInformationTypes_s has "Russian Passport Number (Domestic)" or dynamicInformationTypes_s has "Russian Passport Number (International)" or dynamicInformationTypes_s has "SQL Server Connection String" or dynamicInformationTypes_s has "SWIFT Code" or dynamicInformationTypes_s has "Saudi Arabia National ID" or dynamicInformationTypes_s has "SecretTest" or dynamicInformationTypes_s has "Singapore National Registration Identity Card (NRIC) Number" or dynamicInformationTypes_s has "Slovakia Driver's License Number" or dynamicInformationTypes_s has "Slovakia Passport Number" or dynamicInformationTypes_s has "Slovakia Personal Number" or dynamicInformationTypes_s has "Slovenia Driver's License Number" or dynamicInformationTypes_s has "Slovenia Passport Number" or dynamicInformationTypes_s has "Slovenia Tax Identification Number" or dynamicInformationTypes_s has "Slovenia Unique Master Citizen Number" or dynamicInformationTypes_s has "South Africa Identification Number" or dynamicInformationTypes_s has "South Korea Resident Registration Number" or dynamicInformationTypes_s has "Spain DNI" or dynamicInformationTypes_s has "Spain Driver's License Number" or dynamicInformationTypes_s has "Spain Passport Number" or dynamicInformationTypes_s has "Spain Social Security Number (SSN)" or dynamicInformationTypes_s has "Spain Social Security Number (SSN) (v2)" or dynamicInformationTypes_s has "Spain Tax Identification Number" or dynamicInformationTypes_s has "Sweden Driver's License Number" or dynamicInformationTypes_s has "Sweden National ID" or dynamicInformationTypes_s has "Sweden Passport Number" or dynamicInformationTypes_s has "Sweden Passport Number (v2)" or dynamicInformationTypes_s has "Sweden Tax Identification Number" or dynamicInformationTypes_s has "Swiss Social Security Number AHV" or dynamicInformationTypes_s has "Taiwan National ID" or dynamicInformationTypes_s has "Taiwan Passport Number" or dynamicInformationTypes_s has "Taiwan Resident Certificate (ARC,TARC)" or dynamicInformationTypes_s has "Thai Population Identification Code" or dynamicInformationTypes_s has "Turkish National Identification number" or dynamicInformationTypes_s has "U.K. Driver's License Number" or dynamicInformationTypes_s has "U.K. Driver's License Number (v2)" or dynamicInformationTypes_s has "U.K. Electoral Roll Number" or dynamicInformationTypes_s has "U.K. National Health Service Number" or dynamicInformationTypes_s has "U.K. National Insurance Number (NINO)" or dynamicInformationTypes_s has "U.K. Passport Number (v2)" or dynamicInformationTypes_s has "U.K. Unique Taxpayer Reference Number" or dynamicInformationTypes_s has "U.S. , U.K. Passport Number" or dynamicInformationTypes_s has "U.S. Bank Account Number" or dynamicInformationTypes_s has "U.S. Driver's License Number" or dynamicInformationTypes_s has "U.S. Individual Taxpayer Identification Number (ITIN)" or dynamicInformationTypes_s has "U.S. Social Security Number (SSN) (v2)" or dynamicInformationTypes_s has "USA Social Security Number (SSN)" or dynamicInformationTypes_s has "Ukraine Passport Number (Domestic)" or dynamicInformationTypes_s has "Ukraine Passport Number (International)" or dynamicInformationTypes_s has "secret" or dynamicInformationTypes_s has "test"

| mvexpand expandedInfoTypes=todynamic(InformationTypes_s) 

| where expandedInfoTypes in (todynamic("[\"\",\"12Digits\",\"ABA Routing Number\",\"Argentina National Identity (DNI) Number\",\"Australia Bank Account Number\",\"Australia Driver's License Number\",\"Australia Drivers License Number (v2)\",\"Australia Medical Account Number\",\"Australia Passport Number\",\"Australia Tax File Number\",\"Australian Business Number\",\"Australian Company Number\",\"Austria Driver's License Number\",\"Austria Identity Card\",\"Austria Passport Number\",\"Austria Social Security Number\",\"Austria Tax Identification Number\",\"Austria Value Added Tax (VAT) Number\",\"Azure DocumentDB Auth Key\",\"Azure IAAS Database Connection String and Azure SQL Connection String\",\"Azure IoT Connection String\",\"Azure Publish Setting Password\",\"Azure Redis Cache Connection String\",\"Azure SAS\",\"Azure Service Bus Connection String\",\"Azure Storage Account Key\",\"Azure Storage Account Key (Generic)\",\"Belgium Driver's License Number\",\"Belgium National Number\",\"Belgium Passport Number\",\"Belgium Value Added Tax Number\",\"Brazil CPF Number\",\"Brazil Legal Entity Number (CNPJ)\",\"Brazil National ID Card (RG)\",\"Bulgaria Driver's License Number\",\"Bulgaria Passport Number\",\"Bulgaria Uniform Civil Number\",\"CSCAN-AZURE0060 Azure Storage Account Shared Access Signature\",\"CSCAN-AZURE0100 Azure DevOps Personal Access Token\",\"CSCAN-AZURE0130 Azure Shared Access Key / Web Hook Token\",\"CSCAN-AZURE0140 Azure AD Client Access Token\",\"CSCAN-GENERAL0020 X.509 Certificate Private Key\",\"CSCAN-GENERAL0030 User Login Credentials\",\"CSCAN-GENERAL0050 ASP.NET Machine Key\",\"CSCAN-GENERAL0060 General Password\",\"CSCAN-GENERAL0120 Http Authorization Header\",\"CSCAN-GENERAL0130 Client Secret / Api Key\",\"CSCAN-GENERAL0140 General Symmetric Key\",\"CSCAN-MSFT0020 Moniker Agent Storage Account Key\",\"CSCAN-MSFT0030 Legacy Geneva Resource Access Key\",\"Canada Bank Account Number\",\"Canada Driver's License Number\",\"Canada Health Service Number\",\"Canada Passport Number\",\"Canada Personal Health Identification Number (PHIN)\",\"Canada Social Insurance Number\",\"Chile Identity Card Number\",\"China Resident Identity Card (PRC) Number\",\"Credit Card Number\",\"Credit Card Number (v2)\",\"Croatia Driver's License Number\",\"Croatia National ID Card Number\",\"Croatia Passport Number\",\"Croatia Personal Identification (OIB) Number\",\"Cyprus Driver's License Number\",\"Cyprus Identity Card\",\"Cyprus Tax Identification Number\",\"Czech National Identity Card Number\",\"Czech Republic Passport Number\",\"Denmark Driver's License Number\",\"Denmark Passport Number\",\"Denmark Personal Identification Number\",\"Drug Enforcement Agency (DEA) Number\",\"EU Debit Card Number\",\"EU Driver's License Number\",\"EU GPS Coordinates\",\"EU Mobile Phone Number\",\"EU National Identification Number\",\"EU Passport Number\",\"EU Phone Number\",\"EU Social Security Number (SSN) or Equivalent ID\",\"EU Tax Identification Number (TIN)\",\"Estonia Passport Number\",\"Estonia Personal Identification Code\",\"Finland Driver's License Number\",\"Finland National ID\",\"Finland Passport Number\",\"Finland Passport Number (v2)\",\"France Driver's License Number\",\"France National ID Card (CNI)\",\"France Social Security Number (INSEE)\",\"France Social Security Number (INSEE) (v2)\",\"France Tax Identification Number (numéro SPI.)\",\"France Value Added Tax Number\",\"German Driver's License Number\",\"German Passport Number\",\"Germany Identity Card Number\",\"Germany Tax Identification Number\",\"Germany Value Added Tax Number\",\"Greece Driver's License Number\",\"Greece National ID Card\",\"Greece Passport Number\",\"Greece Social Security Number (AMKA)\",\"Greek Tax identification Number\",\"Hong Kong Identity Card (HKID) Number\",\"Hungarian Social Security Number (TAJ)\",\"Hungary Driver's License Number\",\"Hungary Passport Number\",\"Hungary Personal Identification Number\",\"Hungary Tax identification Number\",\"IP Address\",\"IP Address v4\",\"IP Address v6\",\"India Permanent Account Number (PAN)\",\"India Unique Identification (Aadhaar) Number\",\"Indonesia Identity Card (KTP) Number\",\"International Banking Account Number (IBAN)\",\"Ireland Passport Number\",\"Ireland Personal Public Service (PPS) Number\",\"Israel Bank Account Number\",\"Israel National ID\",\"Italy Driver's License Number\",\"Italy Driver's License Number (v2)\",\"Italy Passport Number\",\"Italy Value Added Tax Number\",\"Japan Bank Account Number\",\"Japan Driver's License Number\",\"Japan Passport Number\",\"Japan Resident Registration Number\",\"Japan Social Insurance Number (SIN)\",\"Japanese My Number Corporate\",\"Japanese My Number Personal\",\"Japanese Residence Card Number\",\"Latvia Driver's License Number\",\"Latvia Personal Code\",\"Lithuania Driver's License Number\",\"Lithuania Passport Number\",\"Lithuania Personal Code\",\"Luxemburg Driver's License Number\",\"Luxemburg National Identification Number (Natural persons)\",\"Luxemburg National Identification Number (Non-natural persons)\",\"Luxemburg Passport Number\",\"Malaysia Identity Card Number\",\"Malta Driver's License Number\",\"Malta Identity Card Number\",\"Malta Passport Number\",\"Malta Tax ID Number\",\"Medicare Beneficiary Identifier (MBI) card\",\"Microsoft Confidential\",\"Netherlands Citizen's Service (BSN) Number\",\"Netherlands Driver's License Number\",\"Netherlands Passport Number\",\"Netherlands Tax Identification Number\",\"Netherlands Value Added Tax Number\",\"New Zealand Driver License Number\",\"New Zealand Inland Revenue number\",\"New Zealand Ministry of Health Number\",\"New Zealand Social Welfare Number\",\"New Zealand bank account number\",\"Norway Identity Number\",\"Philippines Unified Multi-Purpose ID Number\",\"Poland Identity Card\",\"Poland National ID (PESEL)\",\"Poland Passport Number (v2)\",\"Poland Tax Identification Number\",\"Polish REGON Number\",\"Portugal Citizen Card Number\",\"Portugal Passport Number\",\"Portugal Tax Identification Number\",\"Romania Driver's License Number\",\"Romania Passport Number\",\"Romania Personal Numerical Code (CNP)\",\"Russian Passport Number (Domestic)\",\"Russian Passport Number (International)\",\"SQL Server Connection String\",\"SWIFT Code\",\"Saudi Arabia National ID\",\"SecretTest\",\"Singapore National Registration Identity Card (NRIC) Number\",\"Slovakia Driver's License Number\",\"Slovakia Passport Number\",\"Slovakia Personal Number\",\"Slovenia Driver's License Number\",\"Slovenia Passport Number\",\"Slovenia Tax Identification Number\",\"Slovenia Unique Master Citizen Number\",\"South Africa Identification Number\",\"South Korea Resident Registration Number\",\"Spain DNI\",\"Spain Driver's License Number\",\"Spain Passport Number\",\"Spain Social Security Number (SSN)\",\"Spain Social Security Number (SSN) (v2)\",\"Spain Tax Identification Number\",\"Sweden Driver's License Number\",\"Sweden National ID\",\"Sweden Passport Number\",\"Sweden Passport Number (v2)\",\"Sweden Tax Identification Number\",\"Swiss Social Security Number AHV\",\"Taiwan National ID\",\"Taiwan Passport Number\",\"Taiwan Resident Certificate (ARC,TARC)\",\"Thai Population Identification Code\",\"Turkish National Identification number\",\"U.K. Driver's License Number\",\"U.K. Driver's License Number (v2)\",\"U.K. Electoral Roll Number\",\"U.K. National Health Service Number\",\"U.K. National Insurance Number (NINO)\",\"U.K. Passport Number (v2)\",\"U.K. Unique Taxpayer Reference Number\",\"U.S. , U.K. Passport Number\",\"U.S. Bank Account Number\",\"U.S. Driver's License Number\",\"U.S. Individual Taxpayer Identification Number (ITIN)\",\"U.S. Social Security Number (SSN) (v2)\",\"USA Social Security Number (SSN)\",\"Ukraine Passport Number (Domestic)\",\"Ukraine Passport Number (International)\",\"secret\",\"test\"]"))

| summarize value=count() by name=tostring(expandedInfoTypes)

| where isnotempty(name)

| sort by value

Bronze Contributor

Thanks a lot @OdedBergman Works like a charm...NOTA in order to escape ' you have to double them :)

Version history
Last update:
‎May 11 2021 02:01 PM
Updated by: