David Sass sassdawe

IRQL - Incident Response Query Language

A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.

These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.

Why IRQL?

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

PSGet Code Signing

This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.

Setup

The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.

Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.

PSGet Code Signing

This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.

Setup

The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.

Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.

	<##################################################################################
	#
	# Script name: ternary.ps1
	# source http://blogs.technet.com/b/heyscriptingguy/archive/2009/06/15/hey-scripting-guy-event-2-solutions-from-expert-commentators-beginner-and-advanced-the-long-jump.aspx
	#
	##################################################################################>

	set-alias ?: Invoke-Ternary -Option AllScope -Description "PSCX filter alias"
	filter Invoke-Ternary ([scriptblock]$decider, [scriptblock]$ifTrue, [scriptblock]$ifFalse) {
	if (&$decider) {

	<#
	The basics: A HashSet is a collection that holds unique elements in no particular order (O(1) complexity
	for adding, searching or removing). The HashSet<T> is a generic class in the System.Collections.Generic
	namespace, ideal for managing large data sets and performing set operations.

	Core aspects: The dotnet HashSet is a hash-based collection that allows only distinct elements.
	It supports various operations such as Union, Intersection, Difference, and more.

	More: https://www.bytehide.com/blog/hashset-csharp
	#>

	# option 1
	using namespace System.Collections.Specialized
	$ordered = new-object OrderedDictionary

	# option 2
	$ordered = new-object System.Collections.Specialized.OrderedDictionary

	# members
	$ordered \| get-member


	function mandatoryUserBoolParam {
	param(
	[Parameter(Mandatory=$true)]
	[ValidateSet("true","false","1","0","yes","no","y","n")]
	[string]$param
	)
	$boolParam = $false
	switch ($param.ToLower()) {
	"true" { $boolParam = $true }

	{
	"background": "#F9F9F9",
	"black": "#AB3D2C",
	"blue": "#275FE4",
	"brightBlack": "#C21458",
	"brightBlue": "#0099E1",
	"brightCyan": "#7B86BB",
	"brightGreen": "#3D942E",
	"brightPurple": "#CE33C0",
	"brightRed": "#FF0308",

	Remember, kids, the only difference
	between screwing around and science
	is writing it down.

	install-Module psedit
	set-alias edit show-pseditor