Kusto Detective Agency: Challenge 5 – Big heist


The ADX team upped their game once again. Time for a proper forensic investigation, track down the baddies, find clues and decipher their meaning all while racing against the clock. Can you come up with the date and location of the heist in time to stop them?

General advice

This challenge requires a bit of creative thinking, even with the hints there are multiple paths to go down and not all of them are going to lead to the right outcome. the key to this one, keep it simple and logical.

Challenge 5: Big heist

This challenge also has multiple parts, first we need to identify four chatroom users from over three million records and then we need to “hack” their IPs to get more clues.

Query Hint Part 1

Trying to identify the right user behaviors here is super tricky, I got tripped up here by adding a level of complexity that was unnecessary. At its simplest we would have to find a room where only 4 people joined and no one else. Some KQL commands that will be useful here are tostring, split, extend, row_cumsum

Big heist challenge text - Part 1

Hello. It’s going to happen soon: a big heist. You can stop it if you are quick enough. Find the exact place and time it’s going to happen.
Do it right, and you will be rewarded, do it wrong, and you will miss your chance.

Here are some pieces of the information:
The heist team has 4 members. They are very careful, hide well with minimal interaction with the external world. Yet, they use public chat-server for their syncs. The data below was captured from the chat-server: it doesn’t include messages, but still it may be useful. See what you can do to find the IPs the gang uses to communicate.
Once you have their IPs, use my small utility to sneak into their machine’s and find more hints:

El Puente

Feeling uncomfortable and wondering about an elephant in the room: why would I help you?
Nothing escapes you, ha?
Let’s put it this way: we live in a circus full of competition. I can use some of your help, and nothing breaks if you use mine… You see, everything is about symbiosis.
Anyway, what do you have to lose? Look on an illustrated past, fast forward N days and realize the future is here.

Query challenge 5 - Part 1

let rooms =
| where Message contains “joined”
| extend user = tostring(split(Message,” “,1))
| extend chan = tostring(split(Message,” “,5))
| distinct user, chan
| summarize count() by chan
| where count_ == 4
| project chan;
let chatroom =
| extend action = tostring(split(Message,” “,2))
| where action contains “joined” or action contains “left”
| extend A1 = iif(action contains “joined”, 1, -1)
| extend user = tostring(split(Message,” “,1))
| extend chan = tostring(split(Message,” “,5))
| where chan in (rooms)
| order by Timestamp asc
| extend total=row_cumsum(A1, chan != prev(chan))
| where total ==4
| distinct chan;
let users =
| extend chan = tostring(split(Message,” “,5))
| where chan in (chatroom)
| extend user = tostring(split(Message,” “,1))
| distinct user;
| extend user = tostring(split(Message,” “,1))
| where user in (users)
| where Message contains “logged”
| extend IP = tostring(split(Message,” “,5))
| distinct IP

Alright we’ve got some IPs, so time to “hack”, using the provided tool you’ll gather a set of clues from each of the gang members, there are a few key things you need to find, these are an email, some pictures, a cypher tool, an article and a pdf copy of it and of course a video from the nefarious professor Smoke.

From here on out it’s all investigative skills, you now have everything you need to find the date and location of the heist and save that datacenter!

Final hint

In order to decrypt the secret message, you’re going to need a special key, the format looks familar right? Spot on you’ll need the answer from challenge 4!

Congratulations Detective!

If you’ve found this blog series useful, please let me know via LinkedIn or drop a comment below. These challenges have been super fun and I for one am looking forward to season 2!


24 thoughts on “Kusto Detective Agency: Challenge 5 – Big heist

  1. Pingback: Kusto Detective Agency: Challenge 4 - Ready to play? - OpsMan

  2. Pingback: Kusto Detective Agency: Challenge 3 - Bank robbery! - OpsMan

    1. Warren Kahn Post author

      The date is a three-step process you need the date form one of the pictures, you need to do the %(MOD) calculation, using the year from the article that comes from the decrypted message and then add that number of days to the first date

      1. Rosmus

        1) Get the picture of the Project X’s target and see the date it was taken (Datel).
        2) There was another historical nonsense event happened at year YYYY, and it reminds me of today (I will send a link later). We will use that event as a reference point.

        The day of our action will be: Date1 + ((YYYY % 1000) days))

        Ad.1. That was easy part- PDF article shows big “X” on the picture – you just need to find correct file
        Ad.2. Where to look for it? The article?

      1. neomat

        Any hints Cesar?
        I’m also struggling with the date. A bit frustrating having covered everything and remaining blocked at this stage :).

      2. kusto

        date1 : 09/7/2022 so date1 = 09
        from pdf file (project-x.pdf) page 3, go to the link in top of page 1 download the image go to Propeties >> Details >> date created
        YYYY: 1891
        from this link is: bing.com?q=uncomfortable+%2Belephant+%2Bescapes+%2Bcircus+%2Bbreaks+%2Beverything+%2Btoulouse+%2Billustrated

        total days in future is : 9 + (1891%1000) = 18919

        but which day is present day?

  3. Antonio

    The key of the challenge 4 for what message is?

    Not is this message. but yes the key.

    Impressive, you got it right! Something BIG is going to happen… Keep the next hint close to you, it will help you. We will be in touch soon. El Puente.

    Any hints.

    1. Warren Kahn Post author

      As part of your answer for challenge 4 you should also have a string of letters and a series of numbers. These are the decryption key for calculating part of the date in challenge 5

  4. Adam

    OK, I got the date (from one of the picture), or rather two dates- one is file creation, the other is buried down in exif as picture description. I’m not sure where should I look for the year of “another historical nonsense event”. Secondly- not sure what decryption key from #4 is used for – it gives an empty link to bing page.

  5. Warren Kahn Post author

    One of the files the baddies have is a cypher tool, to use this properly you need the decryption key (from challenge 4) and the right message to decrypt (Think about the message from El Puente)

    1. Michal

      I’ve tried to find ‘YYYY’ but I couldn’t. I think I know the coordinates and the basic ‘date’ (starting on 09.MM.YYYY) but I don’t have any idea how to find the second date which allows me to calculate the destination date.

      1. Warren Kahn Post author

        Have you located the email from the criminals detailing the steps to calculate the date as well as the decryption tool?

        The basic calculation is Date1 + ((YYYY % 1000) days)), key things here Date1 is the full start date, YYYY comes from decrypting the message and % is the function MOD not divide

        1. Michal

          Thank you for your reply. I found mail and basic calculation of destination data but the main issue is I don’t know how and what I should decrypt to obtain ‘YYYY’. Obviously, after decryption I will use MOD function (YYYY mod 1000) to obtain the number of days which I should add to Date1.

        2. Michal


          I’ve located the e-mail (Subject: ‘The day of Project X.’) and decryption tool (ReadMessage function). I am not sure what I should decrypt and how.

  6. Pingback: Microsoft Cloud ve Datacenter Management Aralık 2022 Bülten – Sertaç Topal

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.