Listen to this Post
sKaleQL is a powerful tool developed by Michalis Michalos and Christos Galanopoulos that enables query automation in Log Analytics workspaces using GitHub Actions. This tool simplifies log analysis by allowing users to schedule and automate Kusto Query Language (KQL) executions, streamlining security and operational workflows.
🔗 KQL Cafe Registration: https://lnkd.in/d-hwKNzC
🔗 sKaleQL GitHub: https://lnkd.in/drVRkTVV
You Should Know:
1. Setting Up sKaleQL with GitHub Actions
To integrate sKaleQL into your workflow, follow these steps:
Prerequisites:
- A GitHub account
- A Log Analytics workspace in Azure
- Azure CLI installed
Steps:
1. Clone the sKaleQL Repository:
git clone https://github.com/MichalisMichalos/sKaleQL.git cd sKaleQL
2. Authenticate with Azure:
az login az account set --subscription "Your-Subscription-ID"
3. Configure GitHub Secrets:
- Store Azure credentials as GitHub secrets:
AZURE_TENANT_ID="your-tenant-id" AZURE_CLIENT_ID="your-client-id" AZURE_CLIENT_SECRET="your-client-secret"
4. Define KQL Queries in `.kql` Files:
Example query (`detect_failed_logins.kql`):
SecurityEvent | where EventID == 4625 | summarize FailedAttempts=count() by Account
5. Schedule Execution via GitHub Actions (`workflow.yml`):
name: Run sKaleQL on: schedule: - cron: '0 ' Runs hourly jobs: run-kql: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Execute KQL run: | python sKaleQL.py --workspace "your-workspace-id" --query "detect_failed_logins.kql"
2. Practical KQL Commands for Security Analysis
Here are some KQL queries you can automate with sKaleQL:
Detect Brute Force Attacks:
SecurityEvent | where EventID == 4625 | summarize Attempts=count() by IPAddress, Account | where Attempts > 5
Find Suspicious Process Executions:
SecurityEvent | where EventID == 4688 | where CommandLine contains "powershell -nop -w hidden -e"
Track Azure AD Sign-In Anomalies:
SigninLogs | where ResultType != "0" | summarize FailedLogins=count() by UserPrincipalName, AppDisplayName
- Linux & Windows Commands for Log Analysis
Linux (Syslog Analysis):
Search for failed SSH logins
grep "Failed password" /var/log/auth.log
Monitor live logs
tail -f /var/log/syslog | grep "error"
Extract IPs from logs
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
Windows (Event Log Analysis):
Export failed login events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Export-CSV "failed_logins.csv"
Query PowerShell execution logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Message -like "nop"}
What Undercode Say:
sKaleQL bridges the gap between manual log analysis and automated security monitoring, making KQL more accessible for SOC teams and DevSecOps. By leveraging GitHub Actions, organizations can:
– Reduce manual log review time
– Detect threats faster with scheduled queries
– Integrate KQL into CI/CD pipelines
For advanced users, combining sKaleQL with SIEM tools (Microsoft Sentinel, Splunk) enhances threat-hunting automation. Future enhancements could include Slack/Teams alerts for query results.
Expected Output:
Automated KQL execution logs stored in GitHub Actions, with results exported to CSV/JSON for further analysis.
Prediction:
As AI-driven security analytics grows, tools like sKaleQL will evolve to support natural language KQL generation (e.g., “Show me failed logins from Russia”). Expect tighter Azure/Microsoft Sentinel integrations in 2025.
References:
Reported By: Mmihalos Kql – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
