The KQL Mysteries Season 1: Chapter 9
The Ghost of Krampus Past
Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Jon braced himself, gripping the phone tighter. “What is it, Jordan? Don’t keep me in suspense.”
Jordan’s voice was steady, but there was an undercurrent of disbelief. “It’s connected, Jon. The Night Princess… she’s using the same backdoor that Krampus_attack left open. It wasn’t fully secured.”
A chill ran down Jon’s spine. “You mean to tell me we’ve been sitting ducks this whole time?”
“Looks like it,” Jordan confirmed. “But there’s more. I ran a cross-check against the security logs from the holiday incident. There’s a pattern—a signature move that The Night Princess uses. It’s subtle, but it’s there, and it matches the Krampus_attack.”
Jon’s mind raced. “So, The Night Princess and Krampus_attack could be the same person, or they’re working together?”
“Possibly,” Jordan said. “But we need more evidence. I’m going to dive deeper into the logs. I’ll set up a series of traps—honeypots to lure her in. If she bites, we’ll have her.”
“Be careful, Jordan,” Jon warned. “We don’t know what we’re dealing with here.”
Jordan chuckled darkly. “That’s exactly why I love this job. The thrill of the unknown.” She hung up and turned back to her screens, her eyes narrowing in focus.
let startTime = ago(24h);
HoneypotLogs
| where TimeGenerated >= startTime
| where ActivityType == "honeypot_trigger"
| project TimeGenerated, SourceIP, DestinationIP, Protocol, PayloadAs Jordan set her traps, she couldn’t shake the feeling that they were being watched. The Night Princess was cunning, always one step ahead. But Jordan was determined to end this cat-and-mouse game.
Hours turned into days as Jordan monitored the honeypots. Then, just as she was about to call it a night, an alert flashed on her screen. A honeypot had been triggered.
She traced the activity back to its source, her heart pounding with anticipation. The trail led to an unexpected place—a server farm in Iceland. “Gotcha,” she whispered.
let icelandIPRanges = datatable(StartIP: string, EndIP: string)
[
"31.209.148.0", "31.209.148.255", // Example range 1
// Add additional ranges here
];
let startTime = ago(7d);
ActivityLogs
| where TimeGenerated >= startTime
| mv-expand range=icelandIPRanges
| where IPAddress >= range.StartIP and IPAddress <= range.EndIP
| project TimeGenerated, IPAddress, ActivityDetailsBut as she dug further, she realized it was a decoy. The real attacker was still out there, and now they knew Jordan was onto them.
The game had changed. It was no longer just about catching The Night Princess; it was about staying one step ahead. And Jordan knew that the only way to win was to think like her adversary.
Jordan sat back in her chair, staring at the screen. She had been so close, but now The Night Princess had the upper hand. She couldn't let her guard down, not for a second. She had to be smarter, faster, and more cunning than her adversary.
She called Jon, her voice steady. "We need to regroup. The Night Princess knows we're onto her. We need a new strategy."
Jon's voice was grim. "Agreed. We'll meet in the morning and come up with a plan."
Jordan hung up the phone and leaned back in her chair. She knew that the stakes had just been raised. The Night Princess was a formidable opponent, but Jordan was determined to catch her. She would not rest until she had brought her to justice.
Stay tuned for Chapter 10…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]