Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unable to decode base64 value - Kusto

Copper Contributor

Hi,

 

I need your assistance please.

I have the following query:


F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
|extend base64Value = tostring(RawData[24]) // base64 value

 

In the base64value there is base 64 value.

I don't know how to decode this value with extend!
I want that each parameter inside of this value will be separated.

 

Will appreciate your support please.

Thanks!

 

12 Replies
There are a few operators to decode, for strings

F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData) // base64 value
When I send the following Query:
F5_CL
| where TimeGenerated >= ago(7h) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend base64Value = base64_decode_tostring(RawData[24]) // base64 value

I get the following error:
"base64_decodestring(): argument #1 was not of an expected data type: string"

When I check RawData[24] using gettype() function, the result is String.

Why I get this error?
Could you post an example of your data to make it easier?

@m_zorich Adding picture, hope it more clear now.

You may need to check its valid UTF8, there are two examples in the github https://github.com/Azure/Azure-Sentinel/search?q=base64_decode_tostring , the second does some translate on invalid data.
Hi,
In the first example it will return error.
The second example is not clear.

So you are saying that the base64 is not UTF-8?
I can change it if needed...
Just need to understand the root cause of the issue.
I don't know if the F5 input is valid or not (it maybe ok), I was just saying that if you run the base64_decode_tostring against badly formatted/incorrect data it wont work if its not UTF-8.

https://en.wikipedia.org/wiki/UTF-8
The "RawData[24]" (base64 encoded value) is from UTF-8 type.
Again, any idea why sentinel returns the error?
And how to solve it of course?
Have you tried to use an online convertor to see if it will translate https://base64.guru/converter (or a website you prefer).
Have you tried to pass a working value, e.g. S3VzdG8= into you code

Usage
| extend RawData='S3VzdG8=' // replace with your string
| extend base64Value = base64_decode_tostring(RawData)
| distinct base64Value

@CliveWatson Yes, I've tried to use an online convertor and it translate well.

More than that, If I take the base64 as is, and move it to static variable as you showed, it works.

Otherwise it won't works.

Also, I've verified this is UTF-8.

 

Don't understand what I'm missing!

@MatRock345 

 

Maybe just a tostring within the Base64 - did we try that?  

e.g. base64_decode_tostring(tostring(RawData[24]))

 

let RawDataList = "S3VzdG8=##S3VzdG8=##S3VzdV8=";
Usage
| extend RawData=split(RawDataList, '##')
| extend base64Value = base64_decode_tostring(tostring(RawData[2]))

 

F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
|extend base64 = base64_decode_tostring(tostring(RawData[24]))

Much better now! No error.
But all base64 values are empty! ((RawData[24]) is not empty)
Why is that?