Listen to this Post
sKaleQL is an innovative tool designed to automate Kusto Query Language (KQL) execution at scale in Azure Log Analytics Workspaces using GitHub Actions. Developed by cybersecurity experts Michalis Michalos and Christos Galano, this tool streamlines auditing, forensics, and environment health checks with high precision.
🔗 GitHub Repository: sKaleQL on GitHub
You Should Know:
1. How sKaleQL Works
- Executes KQL queries in bulk (1 to 50+ queries).
- Integrates with GitHub Actions for automated workflows.
- Ideal for security audits, log analysis, and compliance checks.
2. Key Features
✅ Automated Query Execution – Run KQL queries without manual intervention.
✅ GitHub Integration – Leverage CI/CD pipelines for log analytics.
✅ Scalability – Supports multiple queries in parallel.
✅ Audit & Forensics – Detect anomalies, track threats, and monitor system health.
3. Practical Implementation
Step 1: Clone the Repository
git clone https://github.com/christosgalano/sKaleQL.git cd sKaleQL
Step 2: Configure GitHub Secrets
Store Azure credentials securely in GitHub Secrets:
– `AZURE_TENANT_ID`
– `AZURE_CLIENT_ID`
– `AZURE_CLIENT_SECRET`
– `LA_WORKSPACE_ID` (Log Analytics Workspace ID)
Step 3: Define KQL Queries
Place `.kql` files in the `queries` folder. Example (detect_failed_logins.kql):
SigninLogs | where ResultType != "0" | project TimeGenerated, UserPrincipalName, IPAddress, ResultDescription
Step 4: Trigger GitHub Action
Commit changes to run queries automatically:
git add . git commit -m "Added new KQL query for failed logins" git push origin main
4. Useful KQL Commands for Security Analysis
// Detect brute-force attacks SecurityEvent | where EventID == 4625 | summarize Attempts = count() by AccountName, IPAddress | where Attempts > 5 // Check for unusual process executions SecurityEvent | where EventID == 4688 | where CommandLine contains "powershell -nop -enc"
5. Linux & Windows Commands for Log Analysis
Linux (Syslog & Auditd)
Monitor failed SSH logins grep "Failed password" /var/log/auth.log Check suspicious processes ps aux | grep -E "(curl|wget|sh -c)" Analyze audit logs ausearch -m execve -ts today
Windows (PowerShell & Event Logs)
Extract failed login events
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
}
Detect PowerShell obfuscation
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Message -match "EncodedCommand" }
What Undercode Say
sKaleQL bridges the gap between KQL automation and cybersecurity operations, enabling teams to detect threats faster. By integrating GitHub Actions, it ensures scalability and repeatability in log analysis. Future enhancements may include real-time alerting and multi-cloud support.
Prediction
As cloud-based SIEM solutions grow, tools like sKaleQL will become essential for SOC teams, reducing manual efforts in threat hunting and compliance reporting.
Expected Output:
- Automated KQL execution logs in GitHub Actions.
- Query results stored in structured formats (CSV/JSON).
- Alerts for critical security events.
🔗 Explore sKaleQL: GitHub Link
References:
Reported By: Mmihalos Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
