Azure AIP - No data displayed in the Data Discovery (preview) tab

Brass Contributor

Hey Everyone.

 

I am experiencing a weird issue on the portal. I had an Azure AIP Scanner deployed and running in Azure and on-prem. I was able to view found files in the portal however currently I can see that X amount of files have been discovered but when I go to the share to see what are the files exactly I am getting nothing shown on the screen: "No data to display"?

 

Is anyone experiencing similar problem currently?

 

I have attached two screenshots.


Regards,

Wojciech

5 Replies

@mrktos I am having the same issue. I am able to access the information SSMS within the DB, but this is frustrating.

@dabo7667it seems there is a world wide issue. I have open two tickets with Microsoft. Support is not responding to me at all. The first ticket was just closed. They were speaking to me over the phone and suddenly said it that they will take a look at it and they just say - Have a nice day - and just hangup on me. Second ticket is still open and they are not responding to it at all - I have followed up few times with no luck. I will create another ticket and eventually go to our Business Relationship Manager as we spend quiet a lot on Azure and the recent support we got was really really bad experience.

@mrktos A bit ridiculous to spend so much with so little service or communication on their end. I'll update this thread when/if this is fixed.

@dabo7667 

I am still chasing them t fix this. They suppouse to send the ticket to LogAnalytics team which did not contact me at all anyway.

 

I have already tried to re-setup everything from scratch. I have built new Log Analytics workspace, I have configured new servers with AIP Scanner on them. I configured Profiles etc. Scanner Servers are visible in AIP Management Portal in Azure however they are not showing the list of files that have been discovered. I can only see the amount of files that have been discovered but that's it. Whenever I will try to display the list of files that have been discovered in the particular file share, I am getting info that there is not data to display.

@dabo7667 

I have found the issue and Microsoft is looking currently on this case. To get the Data Discovery blade working again as it should, when you query the the particular File Share you have to modify the query. This is the original query:

 

 

InformationProtectionLogs_CL
| extend Activity_s = columnifexists("Activity_s",""), ActionSource_s = columnifexists("ActionSource_s",""), LabelName_s = columnifexists("LabelName_s",""), LabelNameBefore_s = columnifexists("LabelNameBefore_s",""), LabelId_g = columnifexists("LabelId_g",""), Operation_s = columnifexists("Operation_s",""), TemplateId_g = columnifexists("TemplateId_g",""), ProtectionBefore_g = columnifexists("ProtectionBefore_g",""), ProtectionType_s = columnifexists("ProtectionType_s",""), ObjectId_s = columnifexists("ObjectId_s",""), ProcessName_s = columnifexists("ProcessName_s",""), Workload_s = columnifexists("Workload_s",""), Location_s = columnifexists("Location_s",""), ActionId_g = columnifexists("ActionId_g",""), UserId_s = columnifexists("UserId_s",""), MachineName_s = columnifexists("MachineName_s",""), IPv4_s = columnifexists("IPv4_s",""), DeviceRisk_s = columnifexists("DeviceRisk_s",""), Platform_s = columnifexists("Platform_s",""), ApplicationName_s = columnifexists("ApplicationName_s",""), ApplicationId_g = columnifexists("ApplicationId_g",""), UserJustification_s = columnifexists("UserJustification_s",""), MachineId_s = columnifexists("MachineId_s",""), LogId_g = columnifexists("LogId_g",""), ActionIdBefore_g = columnifexists("ActionIdBefore_g",""), LastModifiedBy_s = columnifexists("LastModifiedBy_s",""), ContentId_g = columnifexists("ContentId_g",""), MatchedLabelName_s = columnifexists("MatchedLabelName_s",""), RecommendedLabelName_s = columnifexists("RecommendedLabelName_s",""), RecommendedLabelId_g = columnifexists("RecommendedLabelId_g",""), MatchedLabelId_g = columnifexists("MatchedLabelId_g",""), ProtectionOwnerBefore_s = columnifexists("ProtectionOwnerBefore_s",""), ProtectionOwner_s = columnifexists("ProtectionOwner_s",""), ProductVersion_s = columnifexists("ProductVersion_s",""), ProtectionTypeBefore_s = columnifexists("ProtectionTypeBefore_s",""), Protected_b = columnifexists("Protected_b",false), ProtectedBeforeAction_b = columnifexists("ProtectedBeforeAction_b",false), InformationTypes_s = columnifexists("InformationTypes_s","[]"), MatchedRules_s = columnifexists("MatchedRules_s","[]"), InformationTypesAbove55_s = columnifexists("InformationTypesAbove55_s","[]"), InformationTypesAbove65_s = columnifexists("InformationTypesAbove65_s","[]"), InformationTypesAbove75_s = columnifexists("InformationTypesAbove75_s","[]"), InformationTypesAbove85_s = columnifexists("InformationTypesAbove85_s","[]"), InformationTypesAbove95_s = columnifexists("InformationTypesAbove95_s","[]"), DiscoveredInformationTypes_s = columnifexists("DiscoveredInformationTypes_s","[]"), ProtectionTime_t = columnifexists("ProtectionTime_t",datetime(null)), LastModifiedDate_t = columnifexists("LastModifiedDate_t",datetime(null))
| where TimeGenerated >= ago(31d)
| where isnotempty(ObjectId_s)
| where ApplicationName_s !~ "Microsoft Cloud App Security"
| where Workload_s != "RMS"
| extend uniqeId = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by uniqeId
| where Operation_s!~ "FileDeleted"

| extend DataDiscoveryLocation = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| where DataDiscoveryLocation contains "\\\\\\\\fileshare-name\\\\f$\\\\"
| where Location_s in ("FileShare")
| extend dynamicInformationTypes_s = todynamic(InformationTypes_s)
| where isempty(dynamicInformationTypes_s) or InformationTypes_s == "[]" or dynamicInformationTypes_s has "ABA Routing Number" or dynamicInformationTypes_s has "Argentina National Identity (DNI) Number" or dynamicInformationTypes_s has "Australia Bank Account Number" or dynamicInformationTypes_s has "Australia Driver's License Number" or dynamicInformationTypes_s has "Australia Medical Account Number" or dynamicInformationTypes_s has "Australia Passport Number" or dynamicInformationTypes_s has "Australia Tax File Number" or dynamicInformationTypes_s has "Azure Storage Account Key (Generic)" or dynamicInformationTypes_s has "Brazil CPF Number" or dynamicInformationTypes_s has "Brazil Legal Entity Number (CNPJ)" or dynamicInformationTypes_s has "Brazil National ID Card (RG)" or dynamicInformationTypes_s has "Canada Bank Account Number" or dynamicInformationTypes_s has "Canada Driver's License Number" or dynamicInformationTypes_s has "Canada Health Service Number" or dynamicInformationTypes_s has "Canada Passport Number" or dynamicInformationTypes_s has "Canada Personal Health Identification Number (PHIN)" or dynamicInformationTypes_s has "Canada Social Insurance Number" or dynamicInformationTypes_s has "Chile Identity Card Number" or dynamicInformationTypes_s has "China Resident Identity Card (PRC) Number" or dynamicInformationTypes_s has "Credit Card Number" or dynamicInformationTypes_s has "Croatia Personal Identification (OIB) Number" or dynamicInformationTypes_s has "Denmark Personal Identification Number" or dynamicInformationTypes_s has "Drug Enforcement Agency (DEA) Number" or dynamicInformationTypes_s has "EU Debit Card Number" or dynamicInformationTypes_s has "EU Driver's License Number" or dynamicInformationTypes_s has "EU GPS Coordinates" or dynamicInformationTypes_s has "EU Mobile Phone Number" or dynamicInformationTypes_s has "EU National Identification Number" or dynamicInformationTypes_s has "EU Passport Number" or dynamicInformationTypes_s has "EU Phone Number" or dynamicInformationTypes_s has "EU Social Security Number (SSN) or Equivalent ID" or dynamicInformationTypes_s has "EU Tax Identification Number (TIN)" or dynamicInformationTypes_s has "Finland Passport Number" or dynamicInformationTypes_s has "France Driver's License Number" or dynamicInformationTypes_s has "France National ID Card (CNI)" or dynamicInformationTypes_s has "France Passport Number" or dynamicInformationTypes_s has "France Social Security Number (INSEE)" or dynamicInformationTypes_s has "German Driver's License Number" or dynamicInformationTypes_s has "German Passport Number" or dynamicInformationTypes_s has "Germany Identity Card Number" or dynamicInformationTypes_s has "Hong Kong Identity Card (HKID) Number" or dynamicInformationTypes_s has "IP Address" or dynamicInformationTypes_s has "India Permanent Account Number (PAN)" or dynamicInformationTypes_s has "India Unique Identification (Aadhaar) Number" or dynamicInformationTypes_s has "International Banking Account Number (IBAN)" or dynamicInformationTypes_s has "Ireland Personal Public Service (PPS) Number" or dynamicInformationTypes_s has "Israel Bank Account Number" or dynamicInformationTypes_s has "Japan Bank Account Number" or dynamicInformationTypes_s has "Japan Driver's License Number" or dynamicInformationTypes_s has "Japan Passport Number" or dynamicInformationTypes_s has "Japan Social Insurance Number (SIN)" or dynamicInformationTypes_s has "Malaysia Identity Card Number" or dynamicInformationTypes_s has "New Zealand Ministry of Health Number" or dynamicInformationTypes_s has "Norway Identity Number" or dynamicInformationTypes_s has "Poland National ID (PESEL)" or dynamicInformationTypes_s has "Portugal Citizen Card Number" or dynamicInformationTypes_s has "SQL Server Connection String" or dynamicInformationTypes_s has "SWIFT Code" or dynamicInformationTypes_s has "Saudi Arabia National ID" or dynamicInformationTypes_s has "Singapore National Registration Identity Card (NRIC) Number" or dynamicInformationTypes_s has "South Africa Identification Number" or dynamicInformationTypes_s has "South Korea Resident Registration Number" or dynamicInformationTypes_s has "Spain Social Security Number (SSN)" or dynamicInformationTypes_s has "Sweden National ID" or dynamicInformationTypes_s has "Sweden Passport Number" or dynamicInformationTypes_s has "Taiwan Passport Number" or dynamicInformationTypes_s has "Taiwan Resident Certificate (ARC,TARC)" or dynamicInformationTypes_s has "Thai Population Identification Code" or dynamicInformationTypes_s has "Turkish National Identification number" or dynamicInformationTypes_s has "U.K. Electoral Roll Number" or dynamicInformationTypes_s has "U.K. National Health Service Number" or dynamicInformationTypes_s has "U.K. National Insurance Number (NINO)" or dynamicInformationTypes_s has "U.S. , U.K. Passport Number" or dynamicInformationTypes_s has "U.S. Bank Account Number" or dynamicInformationTypes_s has "U.S. Driver's License Number" or dynamicInformationTypes_s has "U.S. Individual Taxpayer Identification Number (ITIN)" or dynamicInformationTypes_s has "USA Social Security Number (SSN)"
| extend rootPath = iff(Location_s =~ "Endpoint", MachineName_s, iff(ObjectId_s startswith "http",tolower(replace(@'(/(?:[^/]+/){2}).*', @'\1', ObjectId_s)), tolower(replace(@'(\\(?:[^\\]+\\){2}).*', @'\1', ObjectId_s))))
| summarize labelCount = countif(isnotempty(LabelId_g)), matchedLabelCount = countif(isnotempty(MatchedLabelName_s)), protectionCount = countif(Protected_b), informationTypesMatchesCount = countif(isnotempty(InformationTypes_s) and InformationTypes_s !~ "[]"), location = any(Location_s) by name=rootPath

 

And here is the modified query:

 

InformationProtectionLogs_CL
| extend Activity_s = columnifexists("Activity_s",""), ActionSource_s = columnifexists("ActionSource_s",""), LabelName_s = columnifexists("LabelName_s",""), LabelNameBefore_s = columnifexists("LabelNameBefore_s",""), LabelId_g = columnifexists("LabelId_g",""), Operation_s = columnifexists("Operation_s",""), TemplateId_g = columnifexists("TemplateId_g",""), ProtectionBefore_g = columnifexists("ProtectionBefore_g",""), ProtectionType_s = columnifexists("ProtectionType_s",""), ObjectId_s = columnifexists("ObjectId_s",""), ProcessName_s = columnifexists("ProcessName_s",""), Workload_s = columnifexists("Workload_s",""), Location_s = columnifexists("Location_s",""), ActionId_g = columnifexists("ActionId_g",""), UserId_s = columnifexists("UserId_s",""), MachineName_s = columnifexists("MachineName_s",""), IPv4_s = columnifexists("IPv4_s",""), DeviceRisk_s = columnifexists("DeviceRisk_s",""), Platform_s = columnifexists("Platform_s",""), ApplicationName_s = columnifexists("ApplicationName_s",""), ApplicationId_g = columnifexists("ApplicationId_g",""), UserJustification_s = columnifexists("UserJustification_s",""), MachineId_s = columnifexists("MachineId_s",""), LogId_g = columnifexists("LogId_g",""), ActionIdBefore_g = columnifexists("ActionIdBefore_g",""), LastModifiedBy_s = columnifexists("LastModifiedBy_s",""), ContentId_g = columnifexists("ContentId_g",""), MatchedLabelName_s = columnifexists("MatchedLabelName_s",""), RecommendedLabelName_s = columnifexists("RecommendedLabelName_s",""), RecommendedLabelId_g = columnifexists("RecommendedLabelId_g",""), MatchedLabelId_g = columnifexists("MatchedLabelId_g",""), ProtectionOwnerBefore_s = columnifexists("ProtectionOwnerBefore_s",""), ProtectionOwner_s = columnifexists("ProtectionOwner_s",""), ProductVersion_s = columnifexists("ProductVersion_s",""), ProtectionTypeBefore_s = columnifexists("ProtectionTypeBefore_s",""), Protected_b = columnifexists("Protected_b",false), ProtectedBeforeAction_b = columnifexists("ProtectedBeforeAction_b",false), InformationTypes_s = columnifexists("InformationTypes_s","[]"), MatchedRules_s = columnifexists("MatchedRules_s","[]"), InformationTypesAbove55_s = columnifexists("InformationTypesAbove55_s","[]"), InformationTypesAbove65_s = columnifexists("InformationTypesAbove65_s","[]"), InformationTypesAbove75_s = columnifexists("InformationTypesAbove75_s","[]"), InformationTypesAbove85_s = columnifexists("InformationTypesAbove85_s","[]"), InformationTypesAbove95_s = columnifexists("InformationTypesAbove95_s","[]"), DiscoveredInformationTypes_s = columnifexists("DiscoveredInformationTypes_s","[]"), ProtectionTime_t = columnifexists("ProtectionTime_t",datetime(null)), LastModifiedDate_t = columnifexists("LastModifiedDate_t",datetime(null))
| where TimeGenerated >= ago(31d)
| where isnotempty(ObjectId_s)
| where ApplicationName_s !~ "Microsoft Cloud App Security"
| where Workload_s != "RMS"
| extend uniqeId = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by uniqeId
| where Operation_s!~ "FileDeleted"
| extend DataDiscoveryLocation = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| where DataDiscoveryLocation contains "\\\\\\\\fileshare-name\\\\f$\\\\"
| where Location_s in ("FileShare")
| extend dynamicInformationTypes_s = todynamic(InformationTypes_s)
| where isempty(dynamicInformationTypes_s) or InformationTypes_s == "[]" or dynamicInformationTypes_s has "ABA Routing Number" or dynamicInformationTypes_s has "Argentina National Identity (DNI) Number" or dynamicInformationTypes_s has "Australia Bank Account Number" or dynamicInformationTypes_s has "Australia Driver's License Number" or dynamicInformationTypes_s has "Australia Medical Account Number" or dynamicInformationTypes_s has "Australia Passport Number" or dynamicInformationTypes_s has "Australia Tax File Number" or dynamicInformationTypes_s has "Azure Storage Account Key (Generic)" or dynamicInformationTypes_s has "Brazil CPF Number" or dynamicInformationTypes_s has "Brazil Legal Entity Number (CNPJ)" or dynamicInformationTypes_s has "Brazil National ID Card (RG)" or dynamicInformationTypes_s has "Canada Bank Account Number" or dynamicInformationTypes_s has "Canada Driver's License Number" or dynamicInformationTypes_s has "Canada Health Service Number" or dynamicInformationTypes_s has "Canada Passport Number" or dynamicInformationTypes_s has "Canada Personal Health Identification Number (PHIN)" or dynamicInformationTypes_s has "Canada Social Insurance Number" or dynamicInformationTypes_s has "Chile Identity Card Number" or dynamicInformationTypes_s has "China Resident Identity Card (PRC) Number" or dynamicInformationTypes_s has "Credit Card Number" or dynamicInformationTypes_s has "Croatia Personal Identification (OIB) Number" or dynamicInformationTypes_s has "Denmark Personal Identification Number" or dynamicInformationTypes_s has "Drug Enforcement Agency (DEA) Number" or dynamicInformationTypes_s has "EU Debit Card Number" or dynamicInformationTypes_s has "EU Driver's License Number" or dynamicInformationTypes_s has "EU GPS Coordinates" or dynamicInformationTypes_s has "EU Mobile Phone Number" or dynamicInformationTypes_s has "EU National Identification Number" or dynamicInformationTypes_s has "EU Passport Number" or dynamicInformationTypes_s has "EU Phone Number" or dynamicInformationTypes_s has "EU Social Security Number (SSN) or Equivalent ID" or dynamicInformationTypes_s has "EU Tax Identification Number (TIN)" or dynamicInformationTypes_s has "Finland Passport Number" or dynamicInformationTypes_s has "France Driver's License Number" or dynamicInformationTypes_s has "France National ID Card (CNI)" or dynamicInformationTypes_s has "France Passport Number" or dynamicInformationTypes_s has "France Social Security Number (INSEE)" or dynamicInformationTypes_s has "German Driver's License Number" or dynamicInformationTypes_s has "German Passport Number" or dynamicInformationTypes_s has "Germany Identity Card Number" or dynamicInformationTypes_s has "Hong Kong Identity Card (HKID) Number" or dynamicInformationTypes_s has "IP Address" or dynamicInformationTypes_s has "India Permanent Account Number (PAN)" or dynamicInformationTypes_s has "India Unique Identification (Aadhaar) Number" or dynamicInformationTypes_s has "International Banking Account Number (IBAN)" or dynamicInformationTypes_s has "Ireland Personal Public Service (PPS) Number" or dynamicInformationTypes_s has "Israel Bank Account Number" or dynamicInformationTypes_s has "Japan Bank Account Number" or dynamicInformationTypes_s has "Japan Driver's License Number" or dynamicInformationTypes_s has "Japan Passport Number" or dynamicInformationTypes_s has "Japan Social Insurance Number (SIN)" or dynamicInformationTypes_s has "Malaysia Identity Card Number" or dynamicInformationTypes_s has "New Zealand Ministry of Health Number" or dynamicInformationTypes_s has "Norway Identity Number" or dynamicInformationTypes_s has "Poland National ID (PESEL)" or dynamicInformationTypes_s has "Portugal Citizen Card Number" or dynamicInformationTypes_s has "SQL Server Connection String" or dynamicInformationTypes_s has "SWIFT Code" or dynamicInformationTypes_s has "Saudi Arabia National ID" or dynamicInformationTypes_s has "Singapore National Registration Identity Card (NRIC) Number" or dynamicInformationTypes_s has "South Africa Identification Number" or dynamicInformationTypes_s has "South Korea Resident Registration Number" or dynamicInformationTypes_s has "Spain Social Security Number (SSN)" or dynamicInformationTypes_s has "Sweden National ID" or dynamicInformationTypes_s has "Sweden Passport Number" or dynamicInformationTypes_s has "Taiwan Passport Number" or dynamicInformationTypes_s has "Taiwan Resident Certificate (ARC,TARC)" or dynamicInformationTypes_s has "Thai Population Identification Code" or dynamicInformationTypes_s has "Turkish National Identification number" or dynamicInformationTypes_s has "U.K. Electoral Roll Number" or dynamicInformationTypes_s has "U.K. National Health Service Number" or dynamicInformationTypes_s has "U.K. National Insurance Number (NINO)" or dynamicInformationTypes_s has "U.S. , U.K. Passport Number" or dynamicInformationTypes_s has "U.S. Bank Account Number" or dynamicInformationTypes_s has "U.S. Driver's License Number" or dynamicInformationTypes_s has "U.S. Individual Taxpayer Identification Number (ITIN)" or dynamicInformationTypes_s has "USA Social Security Number (SSN)"
| extend rootPath = iff(Location_s =~ "Endpoint", MachineName_s, iff(ObjectId_s startswith "http",tolower(replace(@'(/(?:[^/]+/){2}).*', @'\1', ObjectId_s)), tolower(replace(@'(\\(?:[^\\]+\\){2}).*', @'\1', ObjectId_s))))

 

Also make sure to modify this line accordingly to the name of your file share:

 

| where DataDiscoveryLocation contains "\\\\name of you file share\\drive_letter$\\"