Invoke-KqlPS
Translates a subset of KQL into SQL and runs it against a local SQLite lab database. Lets you practice hunting queries without burning Sentinel ingest budget.
powershellkqlsqliteScripts
PowerShell modules and one-offs I've built or adopted. Most live inside the SOC Dashboard project. Click any heading to jump to its writeup once published.
SOC operations & KQL
Build-KqlLabDb
Bootstraps the lab SQLite database from the bundled CSV log samples (DeviceLogonEvents, DeviceProcessEvents, SecurityAlert, SigninLogs, etc.).
powershelllabKqlBuilder & KqlTemplates
Composable query builder plus a library of starter KQL templates for common SOC questions (suspicious sign-ins, parent-child process anomalies, rare image loads).
powershellkqltemplatesThreat intel & enrichment
SecIntel.ThreatIntel
Unified wrapper around AbuseIPDB, urlscan.io, NIST NVD, Team Cymru hash lookups, and the NSRL. One consistent interface, cached responses, pluggable settings.
powershellthreat-intelapiSecIntel.DailyBrief
Pulls the day's relevant CVE/KEV/EPSS movement plus enrichment data and renders a digest. Run as a scheduled task to land a fresh brief in your inbox each morning.
powershellcvekevepssUpdate-CveKevFeed & Update-EpssFeed
Mirror CISA's KEV catalog and FIRST.org's EPSS scores locally. Designed to run idempotently — safe to schedule.
powershellcisa-kevepssFrameworks
MitreAttackExplorer
Offline browser for the ATT&CK framework. Search techniques, list sub-techniques, map to data sources, dump filtered JSON for downstream tooling. Useful when you want a quick lookup without opening the ATT&CK Navigator.
powershellmitreattackUpdate-CveAttackMap
Joins CVE records to ATT&CK techniques where mappings exist, producing a lookup table that's handy when prioritizing patching against observed adversary behavior.
powershellcvemitreSource for these modules lives in the SOC Dashboard repo (link to come once it's public). Everything is MIT-licensed unless a file header says otherwise.