KQL Query
Posts Categories whoami Projects Events KQL News
KQL Query

Projects

Community projects

This page is dedicated to open source projects that I have (co)-developed. All tools in this section are publicly available on GitHub. The page will provide a small summary for each tool and a link to check them out yourself!

The projects that are published:

  • KQL Sentinel & Defender queries
  • Open Source Threat Intel feeds
  • Incident Response PowerShell
  • Sentinel Automation
  • Domain Response
  • Automated Audit Log Forensic Analysis for Google Workspace (ALFA)
  • SIGMA AWS
  • Links & Scripts

KQL Sentinel & Defender queries

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations.

The repository contains more than 200 KQL queries and is mapped to the MITRE ATT&CK framework.

Repository Link: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

Open source threat intel feeds

Project that shares open source freely usable Threat Intel feeds that can be used without additional requirements. Almost 100 IOC feeds have been added to the repository and can be used directly, most can also be used as externaldata feed in KQL.

The following feed categories are available:

  • SSL
  • IP
  • DNS
  • URL
  • MD5
  • SHA1
  • SHA256
  • CVEID

Repository Link: https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds

Incident Response PowerShell

This project contains two Powershell DFIR solutions. The first is a complete incident response script. The second is a page where all the individual incident response commands are listed. A default version of PowerShell can be used, without any additional modules.

Repository Link: https://github.com/Bert-JanP/Incident-Response-Powershell

Sentinel Automation

This project provides automation solutions for Microsoft Sentinel. The repository is focused on Logic Apps/Playbooks. The solutions are aimed to:

  • Enrich Incidents
  • Perform Incident Response Steps
  • Create new detections

Repository Link: https://github.com/Bert-JanP/Sentinel-Automation

Domain Response

Domain Response is a tool that is designed to help you automate the investigation for a domain. This tool is specifically designed to automate phishing domain investigations. However, it can be used for every domain to gather all domain information needed. This can help to classify if a domain is malicious. The script collects the following information in one go.

  • WHOIS
  • Certificate
  • DNS Records
  • Directories

Repository Link: https://github.com/Bert-JanP/Domain-Response

Automated Audit Log Forensic Analysis for Google Workspace (ALFA)

ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.

Repository Link: https://github.com/invictus-ir/ALFA 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 Medium link: https://invictus-ir.medium.com/automated-forensic-analysis-of-google-workspace-859ed50c5c92

SIGMA AWS

This project provides the information and the queries needed to execute the Sigma rules in AWS Athena. This is done to investigate the first response capabilities that Sigma has. This repository contains a dataset on which all AWS Attack Techniques from the Stratus Red Team tool have been simulated. Furthermore, the repository contains all (un)supported Sigma rules for AWS. Lastly, all the translated Sigma to AWS Athena queries are shared and can be used to identify malicious activities.

Repository Link: https://github.com/invictus-ir/Sigma-AWS

Medium link: https://invictus-ir.medium.com/automated-first-response-in-aws-using-sigma-and-athena-615940bedc56

Links & Scripts

This collection of security scripts and sources is designed to assist you in automating various security-related tasks and to list sources that are relevant to security related topics. Whether you’re a security professional, a system administrator, or an enthusiast, these scripts aim to simplify your workflow and enhance your efficiency.

Repository Link: https://github.com/Bert-JanP/SecScripts