Post

Valdoria Votes – KC7 Cyber Challenge

Navigate the tension-filled cybersecurity scenario of an election under threat in “Valdoria Votes.” Enhance your KQL skills as you investigate infiltration attempts aimed at undermining the voting process.

Posted
By SCipher143
2 min read
Valdoria Votes – KC7 Cyber Challenge

🔍 Overview

The What’s a query? section is the first part of the KC7 Cyber Challenge Module 335.

📚 Module Structure

This challenge is divided into five parts:

  1. What’s a query
  2. All about the dataz
  3. A vote of no confidence
  4. Snooping Around
  5. Look on my [Security], ye Mighty, and despair!

Each section builds on the last. For example, you may uncover an IP address or user account in one task that becomes the key to solving several others.

What’s a query

Let’s Get Familiar with the team at Valdoria Board of Elections.

The Employees table contains information about all the staff who are part of the Valdoria Board of Elections.

We’ll use KQL (Kusto Query Language) queries to explore our data. Don’t worry, we’ll provide you with some queries to get started with the game.

For each query we provide, you can simply copy and paste it into the query pane on the right, and then click run.

What is the name of the Deputy Commissioner?

Desktop View

Hilary Binton

What is Dora Thomas’ role?

Desktop View

Polling Station Supervisor

What is this supervisor’s name?

Desktop View

Barry Schmelly

What is Barry Schmelly’s IP address

10.10.0.12

What is Barry Schmelly’s hostname

GCH3-DESKTOP

What is Barry Schmelly’s email address?

barry_schmelly@valdoriavotes.gov

How many emails did Barry Schmelly receive?

Desktop View

37

How many distinct commands were run on Barry Schmelly’s machine?

Desktop View

Sometimes, you’ll want to look at multiple items at once in another table. You can’t be expected to type all of those items by hand, or even to look for them one by one. That’s where let statements can save you time! A let statement allows you to save values in a variable that you can then access easily by calling the variable in your query. Let’s try an example.

What if we wanted to see all the URLs browsed by employees with the name William? To find it we’d need to find all their IP addresses. But there are so many Williams! Instead of typing each one in separately, we can save the IP addresses in a let statement, like so:

How many distinct URLs did employees with the first name William visit?

Desktop View

217

How many authentication attempts did we see to the accounts of employees with the first name William?

Desktop View

SOC, Blue Team, Threat Hunting
KC7 KQL Microsoft Sentinel Detection Blue Team Election Security
This post is licensed under CC BY 4.0 by the author.