At Security Risk Advisors, innovation and technical excellence are at the heart of everything we do, and I’m proud to be part of a team that embodies these values. Participating in the “Just Another Kusto Hacker” challenge was an incredible opportunity to push my skills with Kusto Query Language (KQL) to the next level. Winning the challenge was not just a personal milestone but also a reflection of the expertise and creativity we foster at SRA. Azure Data Explorer (ADX) is a key technology for us, powering our SCALR Sight platform and enabling us to analyze vast cybersecurity datasets to deliver actionable insights to our clients. This experience reinforced my appreciation for how ADX helps us stay at the forefront of cybersecurity analytics, and I’m excited to continue leveraging these tools to drive innovation and deliver value to our clients.

Backstory

Back in April, I came across Microsoft’s “Just Another Kusto Hacker” challenge, inspired by classics like “Just Another Perl Hacker” and “The International Obfuscated C Code Contest.” It immediately caught my attention! Kusto (KQL) has quickly become one of my preferred query languages, especially given Azure Data Explorer’s impressive performance and ease of use. At Security Risk Advisors, we’ve been leveraging ADX to build several critical services, benefiting from its amazing speed, flexibility, and efficient analytical capabilities that allow querying millions or even billions of rows in sub-seconds. Additionally, ADX powers our SCALR Sight platform, significantly enhancing our ability to perform analytics and drive detailed metrics reporting across various cybersecurity data sets, such as vulnerability data, conditional access policies, and Infoblox data.

Overview and Query Breakdown

I wanted to share an overview of my query and explain how each section functions, given that the original submission was intentionally obfuscated for the competition (yes, I may have gone a little over the top with obfuscation). If you’re interested in exploring further, you can find the complete query attached at the bottom of this blog post. Feel free to run it yourself!

“Just” with Time Series Analysis

I used Kusto’s built-in time series capabilities to detect anomalies. Each outlier corresponded to a Unicode character, spelling out the word “Just.” I was able to sort them based on the timestamps to maintain the sequence.

“Another” with XOR Encryption

I hashed the phrase “Kusto Language is Fun!” and XOR’d it against encrypted characters, which decoded to “another.”

“Kusto” Using Square Roots

Here, squared numbers were square-rooted into Unicode points, translating directly to “Kusto.”

Binary Conversion for “H”

This one was really fun! I built a binary-to-character converter function entirely within KQL. This function translates an 8-bit binary number into a Unicode character, which provided the letter “H.” Copy this one and give it a go!

ASCII Art and Character Frequencies

Initially experimenting with ASCII art spelling “ADX,” I found a coincidence—the letter “A” naturally emerged as the average of character frequencies. I can’t belive it worked out that way! I didn’t really know what I wanted to do with this. (hence the comment).

Geohashes for “C” and “K”

I extracted the letters “C” and “K” from geohashes based on coordinates for Vancouver and Nairobi.

Decoding JSON for “E”

This is where I wanted to start putting a spin on things. I was getting tired of using the unicode to string conversion. I started researching other ways I could manipulate KQL in spitting out a string. I dynamically created and parsed a JSON Unicode escape sequence to generate the letter “E.” This technique exploits JSON’s ability to decode Unicode escape sequences to produce the letter e

XML and Base64 for “R”

Another manipulation technique, thanks to my prior experience on the red team days I was able to think of some creative ideas. I used XML parsing and Base64 decoding to indirectly create the letter “R.” It uses array manipulation, XML parsing, and Base64 decoding to avoid directly referencing the letter ‘r’ in any shape or form while still producing it as output.

Final Assembly

All letters combined to form “hacker,” using KQL’s union operation with a single concurrency to ensure consistent ordering.

I want to extend a special thank you to Microsoft for organizing a fun challenge. If you have any questions or would like to discuss how ADX might benefit your own projects, please don’t hesitate to reach out! I’m always happy to talk about leveraging ADX effectively.

Overall, the challenge was not only enjoyable but also educational, im always looking to expand my KQL expertise and showcasing the depth and versatility of Azure Data Explorer. I’m excited to continue exploring its capabilities in future projects.

You can find the Original Full query link submitted for the challenge here: https://github.com/microsoft/just-another-kusto-hacker/blob/main/resources/participating-queries/query-83.md

Competition Page: https://github.com/microsoft/just-another-kusto-hacker?tab=readme-ov-file

And the final code put all back together here:

Join the Next Kusto Challenge – Kusto Detective Agency: Call of the Cyber Duty

If untangling obfuscated KQL sounds like your idea of fun, the next community event is right around the corner. Season 3 of the Kusto Detective Agency kicks off on June 8, 2025, and registration is already open. Expect story‑driven puzzles, data‑forensics twists, and plenty of opportunities to flex (and grow) your ADX skills.

Total prize pool: $21,000 (with $10,000 for first place)

Format: series of progressive KQL investigations – perfect for sharpening real‑world analytics techniques while competing for bragging rights.

Why join? Great practice, community networking, and—let’s be honest—a chance to snag that top‑spot cash.

Register here: http://detective.kusto.io/register