Community projects

This page is dedicated to open source projects that I have (co)-developed. All tools in this section are publicly available on Gihtub. The page will provide a small summary for each tool and a link to check them out yourself!

The projects that are published:

  • KQL Sentinel & Defender queries
  • Open Source Threat Intel feeds
  • Incident Response PowerShell
  • Domain Response
  • Automated Audit Log Forensic Analysis for Google Workspace (ALFA)
  • Links & Scripts

KQL Sentinel & Defender queries

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations.

The repository contains more than 200 KQL queries and is mapped to the MITRE ATT&CK framework.

Repository Link:

Open source threat intel feeds

Project that shares open source freely usable Threat Intel feeds that can be used without additional requirements. Almost 100 IOC feeds have been added to the repository and can be used directly, most can also be used as externaldata feed in KQL.

The following feed categories are available:

  • SSL
  • IP
  • DNS
  • URL
  • MD5
  • SHA1
  • SHA256

Repository Link:

Incident Response PowerShell

This project contains two Powershell DFIR solutions. The first is a complete incident response script. The second is a page where all the individual incident response commands are listed. A default version of PowerShell can be used, without any additional modules.

Repository Link:

Domain Response

Domain Response is a tool that is designed to help you automate the investigation for a domain. This tool is specifically designed to automate phishing domain investigations. However, it can be used for every domain to gather all domain information needed. This can help to classify if a domain is malicious. The script collects the following information in one go.

  • Certificate
  • DNS Records
  • Directories

Repository Link:

Automated Audit Log Forensic Analysis for Google Workspace (ALFA)

ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.

Repository Link:

Medium link:


This project provides the information and the queries needed to execute the Sigma rules in AWS Athena. This is done to investigate the first response capabilities that Sigma has. This repository contains a dataset on which all AWS Attack Techniques from the Stratus Red Team tool have been simulated. Furthermore, the repository contains all (un)supported Sigma rules for AWS. Lastly, all the translated Sigma to AWS Athena queries are shared and can be used to identify malicious activities.

Repository Link:

Medium link:

This collection of security scripts and sources is designed to assist you in automating various security-related tasks and to list sources that are relevant to security related topics. Whether you’re a security professional, a system administrator, or an enthusiast, these scripts aim to simplify your workflow and enhance your efficiency.

Repository Link: