cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query All Logs/sources for Credit Card Numbers

analyst1900
Copper Contributor

‎Nov 03 2023 09:58 AM

‎Nov 03 2023 09:58 AM

Query All Logs/sources for Credit Card Numbers

We thought this might be something that Microsoft Sentinel could have some built in functionality for but seems we cannot find it. We are looking to be able to query all of our log sources for any credit card numbers but I cannot seem to think of a great way to do this and I don't believe union is possible in an analytics rule. Has anyone else created logic in KQL to potentially solve this gap in the solution?

 

Happy to post our regex here as well: 

 

 

(.*)((?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}))(.*)

 

 

 

Common Goal:

1. Query the log source(s) for the specific regex

2. Parse the field identified as matching the regex so we can capture where it matches and go from there, not just that a "match exists" 

 

This seems rather easy but also....struggling to think of a good way to make this happen especially across all log sources rather than querying one table at a time.  

1,051 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Nov 05 2023 02:51 PM

‎Nov 05 2023 02:51 PM

Re: Query All Logs/sources for Credit Card Numbers

Hello. You can use union just not with the wildcard "*".

Option 1:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/Mul...
Option2:
https://github.com/Azure/Azure-Sentinel/blob/004ceca9de9e9686ce69aed17e7345872179dfac/Detections/Sec...

None of the above are ideal as you need to name the tables in the KQL - there is a partial workaround whereby you auto create the Table list in a watchlist (maybe daily) and use that in the query.

Option 3: Personally, I'd run a Playbook and use the union * in there (which doesnt have the limitation when you run it as a rule). Its not particularly efficient, so make sure these dont run too frequently and have time to process.

I use this to find txt in a column (for named Tables, I've not tried it with union)

let srch = "User"; // search for
search in (SigninLogs) srch // Table to search in
| evaluate narrow()
| where Value contains srch // also try "has" for better efficiency rather than "contains"
| summarize count() by Column, txtFound = srch, Value
0 Likes
Reply
analyst1900

‎Nov 10 2023 12:25 PM

‎Nov 10 2023 12:25 PM

Re: Query All Logs/sources for Credit Card Numbers

Thank you! Your "| evaluate narrow()" officially made the query. I think it might be beneficial to even publish this to the Azure Sentinel Github instance as it could be utilized by anyone who want's to search their log sources for PAN!

Thanks again for your assistance here!
1 Like
Reply
Analyst1994

‎Jan 24 2024 04:19 AM

‎Jan 24 2024 04:19 AM

Re: Query All Logs/sources for Credit Card Numbers

Could you share the full code you used for this search? @analyst1900 

0 Likes
Reply