Projects

Community projects

This page is dedicated to open source projects that I have (co)-developed. All tools in this section are pubicly available on Gihtub. The page will provide a small summary for each tool and a link to check them out yourself!

The projects that are published:

  • KQL Sentinel & Defender queries
  • Open Source Threat Intel feeds
  • Incident Response PowerShell
  • Domain Response
  • Automated Audit Log Forensic Analysis for Google Workspace (ALFA)
  • SIGMA AWS
  • Links & Scripts

KQL Sentinel & Defender queries

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations.

The repository contains more than 200 KQL queries and are mapped to the MITRE ATT&CK framework.

Repository Link: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

Open source threat intel feeds

Project that shares open source freely usable Threat Intel feeds that can be used without additional requirements. Almost 100 IOC feeds have been added to the repository and can be used directly, most can also be used as externaldata feed in KQL.

The following feed categories are available:

  • SSL
  • IP
  • DNS
  • URL
  • MD5
  • SHA1
  • SHA256
  • CVEID

Repisitory Link: https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds

Incident Response PowerShell

This project contains two Powershell DFIR solutions. The first is a complete incident response script. The second is a page where all the individual incident response commands are listed. A default version of powershell can be used, without any additional modules.

Repository Link: https://github.com/Bert-JanP/Incident-Response-Powershell

Domain Response

Domain Response is a tool that is designed to help you automate the investigation for a domain. This tool is specifically designed to automate phishing domain investigations. However, it can be used for every domain to gather all domain information needed. This can help to classify if a domain is malicious. The script collects the following information in one go.

  • WHOIS
  • Certificate
  • DNS Records
  • Directories

Repository Link: https://github.com/Bert-JanP/Domain-Response

Automated Audit Log Forensic Analysis for Google Workspace (ALFA)

ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.

Repository Link: https://github.com/invictus-ir/ALFA

Medium link: https://invictus-ir.medium.com/automated-forensic-analysis-of-google-workspace-859ed50c5c92

SIGMA AWS

This project provides the information and the queries needed to execute the Sigma rules in AWS Athena. This is done to investigate the first response capabilities that Sigma has. This repository contians a dataset on which all AWS Attack Techniques from the Stratus Red Team tool have been simulated. Furthermore, the repository contains all (un)supported Sigma rules for AWS. Lastly all the translated Sigma to AWS Athana queries are shared and can be used to identify malicious activities.

Repository Link: https://github.com/invictus-ir/Sigma-AWS

Medium link: https://invictus-ir.medium.com/automated-first-response-in-aws-using-sigma-and-athena-615940bedc56

This collection of security scripts and sources is designed to assist you in automating various security-related tasks and to list sources that are relavant to security related topics. Whether you’re a security professional, a system administrator, or an enthusiast, these scripts aim to simplify your workflow and enhance your efficiency.

Repository Link: https://github.com/Bert-JanP/SecScripts