IRQL - Incident Response Query Language

A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.

These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.

Why IRQL?

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

dafthack / azure_client_ids.txt

Created June 16, 2023 11:57

A collection of client IDs that can be used to authenticate a user, and their associated application name that shows up in Azure Sign-In logs.

	00b41c95-dab0-4487-9791-b9d2c32c80f2 - Office 365 Management
	04b07795-8ddb-461a-bbee-02f9e1bf7b46 - Microsoft Azure CLI
	0ec893e0-5785-4de6-99da-4ed124e5296c - Office UWP PWA
	18fbca16-2224-45f6-85b0-f7bf2b39b3f3 - Microsoft Docs
	1950a258-227b-4e31-a9cf-717495945fc2 - Microsoft Azure PowerShell
	1b3c667f-cde3-4090-b60b-3d2abd0117f0 - Windows Spotlight
	1b730954-1685-4b74-9bfd-dac224a7b894 - Azure Active Directory PowerShell
	1fec8e78-bce4-4aaf-ab1b-5451cc387264 - Microsoft Teams
	22098786-6e16-43cc-a27d-191a01a1e3b5 - Microsoft To-Do client
	268761a2-03f3-40df-8a8b-c3db24145b6b - Universal Store Native Client

Digiover / Get-RandomString.ps1

Last active April 5, 2026 07:48

Easily create a random string (or secure password) using PowerShell. Add to your PS profile

	function Get-RandomString {
	param (
	[CmdletBinding(PositionalBinding=$false)]
	[Parameter(Position=0)]
	[ValidateRange(8, 256)]
	[int] $Length = 20,
	[Parameter(Position=1)]
	[validateset("AlphaNumeric", "SQLCompliant")]
	[string]$Compliancy
	)

JustinGrote / ThrowStdOutErrors.ps1

Created November 4, 2022 17:40

Catch only specific errors coming from native commands

	filter ThrowStdOutErrors($messageFilter,[Parameter(ValueFromPipeline)]$obj) {
	if ($obj -is [Management.Automation.ErrorRecord]) {
	if ($obj -match $messageFilter) {
	throw $obj
	} else {
	Write-Error $obj
	return
	}
	}
	$obj

JustinGrote / Write-FunctionError.ps1

Last active February 28, 2023 21:57

Write an Error within a function in a nice way that displays the context of the function rather than the "Write-Error" context

	using namespace System.Management.Automation
	using namespace Microsoft.PowerShell.Commands
	function Write-FunctionError {
	<#
	.SYNOPSIS
	Writes an error within the context of the containing CmdletBinding() function. Makes errr displays prettier
	#>
	param(
	[Parameter(Mandatory)][String]$Message,
	[ValidateNotNullOrEmpty()][ErrorCategory]$Category = 'WriteError',

JustinGrote / Trace-AICommand.ps1

Last active July 28, 2025 08:17

Trace-AICommand: Report the results and performance of any scriptblock to Azure Application Insights

	#requires -version 7
	#You can load this script with $(iwr https://tinyurl.com/TraceAICommand \| iex)
	using namespace Microsoft.ApplicationInsights
	using namespace Microsoft.ApplicationInsights.Extensibility
	using namespace Microsoft.ApplicationInsights.DataContracts
	using namespace System.Management.Automation
	using namespace System.Collections.Generic
	using namespace System.Net

	#Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/console

JustinGrote / ConvertTo-DataTable.ps1

Last active February 6, 2023 19:01

Build a DataTable from an Array in Powershell. All objects should have the same properties as the first object.

	using namespace System.Data
	function ConvertTo-DataTable {
	<#
	.SYNOPSIS
	Takes an array and converts it to a datatable, useful for sql or bulk transactions. All objects must be the same (or at least share properties with the first object)
	.EXAMPLE
	convertto-datatable @(
	[PSCustomObject]@{Name = 'Test'; Food = 'Burgers' },
	[PSCustomObject]@{Name = 'Test2'; Food = 'Fries' },
	[PSCustomObject]@{Name = 'Test3'; Food = 'Coke' },

JustinGrote / Grant-ApplicationRoleToUserAssignedManagedIdentity.ps1

Created January 29, 2022 08:02

Use Az Module and Microsoft Graph to Grant an Application Role to a User Assigned Managed Identity

	#requires -module Az.Resources
	#requires -module Az.ManagedServiceIdentity
	function Assert-SingleResult ([Object[]]$inputObject, [String]$Description) {
	<#
	.SYNOPSIS
	Helper function to ensure one and only one item.
	#>
	if ($inputObject.count -lt 1) {
	Write-Error [InvalidOperationException]"$Description was not found."
	return $false

svch0stz / defenderwatch.ps1

Last active November 18, 2022 01:03

WMI Watcher for Windows Defender RealtimeMonitoring

	$WMI = @{
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
	Action = {
	#$Global:Data = $Event
	Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
	}
	Namespace = 'root\microsoft\windows\defender'
	SourceIdentifier = "Defender.DisableRealtimeMonitoring"
	}
	$Null = Register-WMIEvent @WMI

potatoqualitee / adil.ps1

Created April 11, 2021 00:00

	$MyScript = [powershell]::Create()
	$null = $MyScript.AddScript( { Import-Module -Name Terminal-Icons } )
	$Runspace = [runspacefactory]::CreateRunspace()
	$MyScript.Runspace = $Runspace

	$null = Register-ObjectEvent -InputObject $MyScript -EventName InvocationStateChanged -Action {
	Import-Module -Name Terminal-Icons
	}

David Sass sassdawe

IRQL - Incident Response Query Language

Why IRQL?