Walk Through Guide for Kusto Detective Agency Season 2, Case #4 Solution
Cases Solutions: 0 1 2 3 4 5 6 7 8 9 10
Detective save the mayor! 🕵👩⚖
The fourth case riddle is:
The key takeaways from the riddle:
- Mayor is involved in a few incidents stemming from data leaks
- We got information on companies working with municipality
- We’re asked to find based on network activity who is behind it all
⚠SPOILER ALERT — THE SOLUTION DESCRIBED BELOW⚠
Note: Solution is mine, and non-official
So let’s delve into the data, by leveraging the | take 10, to see some rows.
The IpInfo table has; IpCidr, Info.
This is useful to know what companies are involved.
So let’s delve into the data, by leveraging the | take 10, to see some rows.
The NetworkMetrics table has; ColumnName Timestamp, ClientIP, TargetIP, BytesSent, BytesReceived, NewConnections.
Hackers would like to minimize their network footprint, so they would most probably connect to a single machine at a time.
Let’s find those:
If we only could detect anomalies where huge amounts of data were sent…
Lucky us! 🍀
KQL has series_decompose_anomalies function that knows to do just that!
Let’s find the companies with the maximal anomaly score:
The most suspicious company is KUANDA.ORG:
Real fishers! 🐟
Enjoyed this article? Feel free to long-press the 👏 button below 😀
Click for Next Case Solution ➡
