The KQL Mysteries Season 1: Chapter 10
The Shadow’s Gambit
Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
The morning sun barely pierced the thick clouds as Jon and Jordan convened in their respective dimly lit conference rooms over Microsoft Teams. The air was tense, charged with a mix of determination and the weight of uncertainty.
Jon laid out the blueprints of their network on the Microsoft Teams whiteboard. “We need to fortify our defenses. The Night Princess won’t stop until she gets what she wants, and we can’t let that happen.”
Jordan nodded, her eyes scanning the schematics. “I’ve been thinking all night. What if we use her tactics against her? Set up a mirror network, a shadow of our own system. We bait her with what seems like valuable data, but it’s actually a trap.”
Jon’s eyes lit up. “A decoy operation. I like it. But it has to be convincing. She’s not easily fooled.”
They spent hours planning, coding, and setting up the shadow network. It was a masterpiece of digital deception, designed to mimic their real system’s responses and behaviors.
let shadowNetwork = datatable (ServerName:string, FakeData:string)
[
"Server-Alpha", "EncryptedPackage1",
"Server-Beta", "EncryptedPackage2",
// Add more servers and data
];
shadowNetwork
| extend TrapTriggered = strcat(ServerName, "_trap")
| project ServerName, TrapTriggeredAs night fell, they activated the network. Now, it was a waiting game.
Jordan couldn’t shake off the feeling of being watched, even in the safety of their headquarters. She kept glancing at the monitors, watching for the slightest sign of intrusion.
Then, it happened. An alert signaled an access attempt on Server-Alpha. The shadow network was doing its job.
Jon and Jordan both rushed to their respective consoles, their hearts racing. They watched as the intruder navigated through the decoy data, taking the bait.
“Initiate the trace,” Jordan whispered, her fingers flying over the keyboard.
let traceStart = now();
shadowNetwork
| where TrapTriggered contains "trap"
| extend TraceActive = iif(now() > traceStart, true, false)
| project ServerName, TraceActiveThe trace was a complex web of digital breadcrumbs, leading The Night Princess on a wild goose chase while they backtracked her steps.
Hours passed, and the trace led them to a series of proxies, each one more intricate than the last. But Jordan was relentless, her skills honed by years of chasing shadows.
As dawn approached, they finally broke through the last proxy. The real IP address was revealed, and it was not what they expected. It was local, very local.
Jon and Jordan exchanged a look of disbelief. The Night Princess was closer than they ever imagined. It was time to confront the ghost of Krampus past, face to face.
Stay tuned for Chapter 11…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]