Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 8
Copy link
Facebook
Email
Notes
More

The KQL Mysteries Season 1: Chapter 8

A Call for Help

Rod Trent
Feb 06, 2024
1

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 8
Copy link
Facebook
Email
Notes
More
Share

Catch up on this series by going to: https://aka.ms/KQLMysteries

New chapters release weekly.

Jordan's heart skipped a beat as she heard the urgency in Jon's voice. Sofia, their colleague from the UK, was also on the line. Something big must have happened for both of them to call her at once.

"What's going on?" Jordan asked, her mind racing with possibilities.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

"We've had a major security breach," Jon said, his voice grim. "Someone's hacked into our system and stolen sensitive data. We need your help to track them down."

"Who is the suspect?" Jordan asked.

"We have reason to believe it's a threat actor known as The Night Princess," Sofia replied.

Jordan's mind was already working, formulating a plan of action. "Send me everything you have," she said. "I'll start working on it right away."

As she waited for the data to arrive, Jordan's thoughts turned to the task ahead. This was no ordinary hack; this was a targeted attack, and the stakes were high. But she was ready for the challenge. With KQL at her fingertips and her colleagues by her side, they would find the culprit and bring them to justice.

The data arrived, and Jordan sprang into action, her fingers flying across the keyboard as she crafted complex queries to sift through the mountains of information. The hunt was on, and Jordan was determined to uncover the truth, no matter where it led.

Jordan started by searching for any activity associated with the known aliases of The Night Princess:

let startTime = ago(7d);
let endTime = now();
let knownAliases = dynamic(['NightPrincess', 'PrincessOfTheNight', 'NP']);
SecurityEvent
| where TimeGenerated between(startTime .. endTime)
| where Account has_any (knownAliases)
| project TimeGenerated, Account, Computer, EventID

The query returned several results, indicating that The Night Princess had indeed been active within their systems. Jordan analyzed the data, looking for patterns and connections that would help her track the threat actor's movements.

“Uh-oh,” Jordan said aloud to herself, and quickly dialed Jon back.

“Yes, Jordan?” Jon answered on the first ring, “What did you find?”

“Jon? Are you sitting down?” Jordan replied into the handset. “Do you remember that issue over the holiday? The one where you and Sarah identified the Krampus_attack culprit?”

Missed the holiday episode? You might consider catching up now… https://github.com/rod-trent/KQLMysteries

“How could I forget?” Jon questioned confidently. “It ate into my family time.”

“Well, you’re not going to like this…” Jordan said and paused, taking in a breath through her nostrils.

Jon could tell Jordan was preparing to hit him with a dramatic shock.

Stay tuned for Chapter 9…

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 8
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More