Walk Through Guide for Kusto Detective Agency Season 2, Case #9 Solution
Cases Solutions: 0 1 2 3 4 5 6 7 8 9 10
It’s a new level on the graph! 📈
The ninth case riddle is:
The key takeaways from the riddle:
- We’re given a network log and requested to find an attack
- The structure is Gateway->Backend (one or more)->Admin
- An attack is only if all components are vulnerable
- Periodically each component is tested for vulnerabilities
⚠SPOILER ALERT — THE SOLUTION DESCRIBED BELOW⚠
Note: Solution is mine, and non-official
Let’s delve into the data, by leveraging the | take 10, to see some rows.
The MachineLogs table has; Timestamp, Machine, EventType, Message.
Let’s look closer at the different Message s for each EventType:
So, we have:
PeriodicScan : Knowing both machine role and if vulnerable
IncomingRequest: TaskId and it’s source
SpawnTask: TaskId and it’s SpawnTaskId
Let’s build us a beautiful graph of vulnerable machines starting at Gateway and finishing at Admin node:
Enjoyed this article? Feel free to long-press the 👏 button below 😀
Click for Next Case Solution ➡
