Kusto Detective Agency Season 2 — Case #9 Badge

Walk Through Guide for Kusto Detective Agency Season 2, Case #9 Solution

Aviv Yaniv
Courisity is a Drug
2 min readSep 9, 2023

--

Cases Solutions: 0 1 2 3 4 5 6 7 8 9 10

It’s a new level on the graph! 📈

The ninth case riddle is:

The key takeaways from the riddle:

  1. We’re given a network log and requested to find an attack
  2. The structure is Gateway->Backend (one or more)->Admin
  3. An attack is only if all components are vulnerable
  4. Periodically each component is tested for vulnerabilities

⚠SPOILER ALERT — THE SOLUTION DESCRIBED BELOW⚠

Note: Solution is mine, and non-official

Let’s delve into the data, by leveraging the | take 10, to see some rows.

The MachineLogs table has; Timestamp, Machine, EventType, Message.

Let’s look closer at the different Message s for each EventType:

So, we have:

PeriodicScan : Knowing both machine role and if vulnerable

IncomingRequest: TaskId and it’s source

SpawnTask: TaskId and it’s SpawnTaskId

Let’s build us a beautiful graph of vulnerable machines starting at Gateway and finishing at Admin node:

Enjoyed this article? Feel free to long-press the 👏 button below 😀

Click for Next Case Solution ➡

Click for Previous Case Solution ⬅

Cases Solutions: 0 1 2 3 4 5 6 7 8 9 10

--

--

Aviv Yaniv
Courisity is a Drug

Senior Software Development Engineer 🖥️ Economist 📈 Beer Brewer 🍻 Photographer 📷 ~ “Curiosity is my drug”