Skip to content

Instantly share code, notes, and snippets.

@liorbp
Last active September 27, 2023 13:00
Show Gist options
  • Save liorbp/49b3fe787bd8753466a96b762a0e8383 to your computer and use it in GitHub Desktop.
Save liorbp/49b3fe787bd8753466a96b762a0e8383 to your computer and use it in GitHub Desktop.
KuandaLogs
//| where DetectiveId == "kvc2ac0c1fdbe22ec157c8"
| partition hint.strategy=native by DetectiveId
(
order by Timestamp asc
| scan with_match_id = SessionId declare(StartTime:datetime, EndTime:datetime, Message: string) with (
step start output=none:
Message has 'User entered the system' or Message has 'User session reset' => StartTime = Timestamp;
step collectTokens output=all:
Timestamp > start.StartTime and Message has 'Captured user encryption token' or Message has 'token for this operation is disposed';
step completed output=last:
Message has 'Sending an encrypted message'
and (Timestamp > start.StartTime) =>
StartTime = start.StartTime, EndTime = Timestamp;
)
| order by SessionId asc, Timestamp asc
| extend token = extract(@"token: '(.*)\'." , 1, Message), OperationId=extract(@"Operation id=([\w\d]*)", 1, Message)
| summarize any(*), count() by OperationId, SessionId, DetectiveId
| where count_ < 2
| summarize make_list_if(any_token, isnotempty(any_token)), any(*) by SessionId, DetectiveId
| extend Key = strcat_array(list_any_token, "")
| extend Message = extract(@"Dekrypt\(@\'(.*)\'," , 1, any_any_Message)
)
| where any_any_Message has "Sending an encrypted message"
| invoke Dekrypt()
| project Result
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment