Scripts
PowerShell modules and one-offs from the SOC Dashboard project. Each heading links directly to the exact source file in GitHub.
SOC operations & KQL
-
Invoke-KqlPS
Problem solved: practice a useful subset of KQL locally against Sentinel-shaped sample data without needing a live tenant.
Compatibility: PowerShell 5.1+; local SQLite DB with a
__schema__table.
powershellkqlsqliteImport-Module .\Invoke-KqlPS.ps1 -Force $ctx = New-KqlContext -DatabasePath .\kql_lab.db Invoke-Kql -Context $ctx -Query 'SecurityEvent | where EventID == 4625 | take 5' -
Build-KqlLabDb
Problem solved: create the local SQLite lab database with table names and types that mirror the production-style KQL schema.
Compatibility: PowerShell 5.1+; auto-installs
PSSQLiteto CurrentUser scope.
powershelllabsqlite.\Build-KqlLabDb.ps1 -Force .\Build-KqlLabDb.ps1 -SchemaPath .\CommonTableSchema.txt -DatabasePath .\kql_lab.db -
KqlBuilder
Problem solved: walk an analyst through building KQL with guardrails instead of asking them to memorize the whole syntax surface up front.
Compatibility: stock user-level PowerShell; Access database engine optional, JSON fallback built in.
powershellkqlguipowershell.exe -ExecutionPolicy Bypass -File .\KqlBuilder.ps1 powershell.exe -ExecutionPolicy Bypass -File .\KqlBuilder.ps1 -ResetDb -
KqlTemplates
Problem solved: keep hunting templates in a typed store with tags and metadata instead of scattered loose snippets.
Compatibility: PowerShell 5.1+; depends on the shared schema bootstrap in
SecIntel.Schema.ps1.
powershellkqltemplates. .\SecIntel.Schema.ps1 Ensure-PSSQLite Initialize-SecIntelSchema . .\KqlTemplates.ps1
Threat intel & enrichment
-
SecIntel.ThreatIntel
Problem solved: auto-detect an indicator type, call every compatible provider, and return normalized cache rows without making the UI care which source answered.
Compatibility: PowerShell 5.1+; dot-sources the shared schema, settings, hash lookup, and provider modules.
powershellthreat-intelapi. .\SecIntel.ThreatIntel.ps1 Invoke-IntelLookup -Value 8.8.8.8 -IocType ip -
SecIntel.DailyBrief
Problem solved: generate a standalone morning brief that summarizes feed health, new KEVs, ransomware-linked KEVs, and priority CVEs from the local intel cache.
Compatibility: PowerShell 5.1+; writes a single-file HTML brief, no external assets required.
powershellcvekevreporting.\SecIntel.DailyBrief.ps1 -Open .\SecIntel.DailyBrief.ps1 -ResetLastSeen -Open -
Update-CveKevFeed
Problem solved: mirror recent CVEs from NVD and the full CISA KEV catalog into the same SQLite database used by the local dashboard and ATT&CK tooling.
Compatibility: PowerShell 5.1+; optional NVD API key, otherwise runs at public rate limits.
powershellcisa-kevnvd.\Update-CveKevFeed.ps1 .\Update-CveKevFeed.ps1 -Days 14 -NvdApiKey 'abc123...' -
Update-EpssFeed
Problem solved: update only the CVEs already cached locally with fresh EPSS score and percentile data so prioritization stays current.
Compatibility: PowerShell 5.1+; designed to run after
Update-CveKevFeed.ps1.
powershellepssprioritization.\Update-EpssFeed.ps1 .\Update-EpssFeed.ps1 -Force
Frameworks
-
MitreAttackExplorer
Problem solved: download the Enterprise ATT&CK STIX bundle once, cache it locally, and launch a searchable GUI for tactics, techniques, groups, software, mitigations, and relationships.
Compatibility: PowerShell 5.1+; PowerShell 7+ recommended for faster JSON parsing; no admin rights required.
powershellmitreattack.\MitreAttackExplorer.ps1 .\MitreAttackExplorer.ps1 -Update -
Update-CveAttackMap
Problem solved: import analyst or third-party CVE-to-technique mappings so ATT&CK context can sit next to patching and KEV views.
Compatibility: PowerShell 5.1+; expects a CSV with at least
CveIdandTechniqueId.
powershellcvemitre.\Update-CveAttackMap.ps1 -Path .\ctid_mappings.csv -Source center-for-tid .\Update-CveAttackMap.ps1 -Path .\my_map.csv -Source analyst
Source for these modules lives in the SOC Dashboard repo. Everything is MIT-licensed unless a file header says otherwise.