Kusto Detective Agency Season 2のメモ
の続き
Train me より
partition 演算子
KuandaLogs
| where DetectiveId endswith '11' // Just a sample of the data.
| partition hint.strategy=native by DetectiveId
(
order by Timestamp asc
| extend Diff = Timestamp - prev(Timestamp)
)
scan 演算子
KuandaLogs
| where DetectiveId endswith '11' // Just a sample of the data.
| partition hint.strategy=native by DetectiveId
(
order by Timestamp asc
| scan declare(FirstActivity:string, LoginTime:datetime) with (
step start output=none: Message has 'User entered the system' => LoginTime=Timestamp;
step s2:
Timestamp - start.LoginTime < 10min and Message !has 'User entered the system'
=> FirstActivity = Message, LoginTime = start.LoginTime;
)
| project DetectiveId, LoginTime, FirstActivityTimestamp=Timestamp, FirstActivity
)
なかなか難しいが、
復号化のキーとなる、ユーザーのアクティブトークン strcat_array(<active-user-encryption-tokens>, '') を取得するために使う必要がありそう。
やってみる
SessionStart ~ SessinReset で step を作ってみる
| partition hint.strategy=native by DetectiveId
(
order by Timestamp asc
| scan with_match_id=session_id declare(SessionStartTime:datetime, activeOperations:string) with (
step start:
EventName == "SessionStart" => SessionStartTime=Timestamp;
step step:
EventName != "SessionStart" and EventName != "SessinReset"
=> activeOperations = iff(EventName == "OperationStarted", strcat(step.activeOperations, ",",operationId),
iff(EventName == "OperationCompleted", replace_string(step.activeOperations, strcat(",",operationId), ""),
step.activeOperations));
step end:
EventName == "SessinReset" and Timestamp > SessionStartTime;
)
)
OperationCompleted の時に除く token が入っていないのでルックアップを作っておく。
let CompleteOperationLogWithToken =
CompleteOperationLog
| lookup StartOperationLog on operationId;
これで、メッセージ時点のActiveTokenがとれた。(tokenに,が入っていない前提だが)
@で始まる文字列を強引にいじれば、一部エラーがあるがとりあえずある程度はこれでいけそう。
エラーは 10件しかないのでpartition 使わずに手作業でトークンを集めて解く
10件ともあまり重要そうなメッセージじゃないので無視
[2023-09-09T23:08:30.0000000Z] Packing user 'kvc7433e4d153c3b81b2f0' answers + active user encryption tokens and sending them to Kuanda. Happy fishing!
なお、エラーの原因は以下のようにきれいに、SessionStart ~ SessinResetとなっていないからっぽい
メッセージ
メッセージは以下の 4 パターン
Kuanda server endpoint is not reachable, will retry later.
Kuanda server returned an error... Cmon, we must migrate our servers to AMD processors to avoid these system halts!
Packing user answers + active user encryption tokens and sending them to Kuanda. Happy fishing!
TODO [BUGBUG]: Validate: bitset_count_ones(hash_many(, tostring($user_answer))) < 54! Leaving as-is for now, the chance it will actually happen is very low. (O boy, these non-AMD processors are literally melting down on invalid instruction sets!)
どう考えても 4 番目 が怪しい。
回答
とりあえず、AMD や melt-down でサブミットしてみるが違うので、そういうことではないらしい。
If you have anything that can help, type it here
とのことなので、
bitset_count_ones が 54 を超えるようなメッセージ送信する状況を作ってみる。
自分の DetectiveID はクラスター名から取得可能
うまく 54 を超えるような回答を送れば
Whoohhoooo! 🎉 You've just knocked Kuanda's servers clean out of the game!
回答
セットアップ
.execute database script <|
.create table KuandaLogs (Timestamp:datetime, DetectiveId:string, Message:string)
.ingest async into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00000.csv.gz')
.ingest async into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00001.csv.gz')
.ingest into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00002.csv.gz')
回答
If you have anything that can help, type it here
range s from 0 to 100000000 step 1
| extend bitsetCount = bitset_count_ones(hash_many("kvcxkfkqdxph56ydvmjur3", tostring(s)))
| where bitsetCount >= 54
