PowerShell for Security Operations

Focused skills. One thing, learned properly.

Learn the PowerShell commands you run during incidents — pipeline, remoting, evidence collection, event log analysis, registry investigation, and M365 security automation. Not a programming course. The specific scripts and commands that security practitioners use daily.

Start Skill View Pricing

Content last updated: April 2026

Why take this course

For Windows administrators and SOC analysts building offensive-informed defensive capability. You finish able to use PowerShell for IR collection, threat hunting, and automation — the scripting fluency that converts "I know PowerShell" into measurable time savings and capability gains in security operations.

What this skill teaches

PowerShell is the tool that connects everything in a Windows and M365 security environment. You use it to collect volatile evidence from endpoints, query event logs during investigations, check registry persistence, manage Entra ID accounts during a compromise, and automate the recurring checks that keep your security posture honest.

Most security practitioners learn PowerShell by copying commands from blog posts and hoping they work. This skill teaches the pipeline and object model so you understand why a command works, then builds every subsequent section on investigation scenarios where each command answers a real question.

What you will be able to do

1. Use the pipeline and object model to filter, sort, and export security-relevant data from any Windows endpoint — processes, services, connections, event logs, registry.

2. Run investigation commands on remote endpoints simultaneously using PowerShell Remoting — collect evidence from 10 machines in the time it takes to manually check one.

3. Build evidence collection scripts that capture volatile data in the first 30 minutes of an incident — before processes end, connections close, and memory is lost.

4. Query Windows event logs with precision — time-bounded, event-ID-filtered, with parsed XML event data that reconstructs logon timelines and identifies lateral movement.

5. Investigate persistence across registry, services, and scheduled tasks, and manage compromised M365 accounts through the Microsoft Graph and Exchange Online modules.

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 7 content sections + guided lab

Tier: Premium subscription

Prerequisites: Windows administration familiarity. If you've opened a PowerShell prompt and run Get-Process before, you have enough. The Practical IR course gives you the investigation context that makes every command in this skill immediately useful.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

First-response collection script: A tested script that captures volatile evidence (processes, services, connections, scheduled tasks, autoruns, DNS cache, ARP table) from any Windows endpoint — ready for your next incident.

Event log query library: Targeted Get-WinEvent commands for logon analysis, lateral movement detection, PowerShell execution logging, and service installation — all annotated and reusable.

Remote investigation playbook: The Invoke-Command patterns that let you triage 10 endpoints simultaneously from your SOC workstation.

M365 security commands: Account lockdown, session revocation, inbox rule audit, and sign-in log queries — the commands you run during a BEC or account compromise.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Incident response lifecycle context for PowerShell work — see Practical Incident Response: Windows & M365
Windows artifact analysis depth — see Advanced Windows Forensic Analysis

Sections

Seven focused sections plus a guided investigation lab. Every command runs against the Northgate Engineering environment with realistic output.

PS0.1

The Pipeline and Object Model for Security Work — The pipeline as an investigation tool: Get-Process | Where-Object | Select-Object | Sort-Object | Export-Csv. Object properties vs text output — why it matters when you're filtering for suspicious processes. Format vs export, filtering patterns, and 6 worked security examples.

PS0.2

Remoting: Running Commands on Remote Endpoints — Invoke-Command for fan-out collection across multiple endpoints. Enter-PSSession for interactive investigation. WinRM configuration, credential handling, persistent sessions, and the double-hop problem. NE scenario: query event logs on 5 endpoints from the SOC workstation simultaneously.

PS0.3

Evidence Collection Scripts — Building the first-30-minutes collection script: running processes, services, scheduled tasks, network connections, autorun entries, DNS cache, ARP table. Get-WinEvent with -FilterHashtable for targeted event log collection. Timestamped exports to CSV and JSON. NE scenario: the triage collection that captures volatile evidence before it disappears.

PS0.4

Working with the Windows Event Log — Get-WinEvent in depth: -FilterHashtable, -FilterXml, -FilterXPath. Querying Security, System, Sysmon, and PowerShell Operational logs. Parsing XML event data. Building logon timelines from 4624/4625 events. The query that finds lateral movement in 30 seconds. NE scenario: reconstruct the authentication timeline during INC-2026-0501.

PS0.5

Registry, Filesystem, and Service Investigation — Registry queries for persistence: Run keys, services, scheduled tasks. Recursive registry search. Filesystem: hidden files, targeted search, hash verification. Service binary path analysis. NE scenario: find the attacker's persistence mechanisms across all three artifact categories on a compromised endpoint.

PS0.6

M365 and Entra ID Security with PowerShell — Connect-MgGraph, Connect-ExchangeOnline. Querying sign-in logs, risky users, conditional access policies. Mailbox audit logs, inbox rules, mail flow rules. Bulk operations: disable accounts, revoke sessions, block sign-in. NE scenario: investigate and contain j.morrison's compromised M365 account.

PS0.7

Automation and Scheduled Security Tasks — Scripts that run unattended: credential storage, SecretManagement module, Register-ScheduledTask. The daily compliance check: MFA status, conditional access state, stale accounts. Error handling with try/catch. Logging with Start-Transcript. NE scenario: build and deploy an automated security posture check that runs daily and alerts on drift.

Lab

Guided Lab: Investigate and Collect Across Northgate Engineering — SOC alert fires. Remote into 3 endpoints with Invoke-Command. Collect volatile evidence. Query event logs for the logon timeline. Check registry persistence. Export findings. Produce a triage collection report. The complete first-response PowerShell workflow from alert to documented findings.

Related courses

Practical Incident Response — The investigation methodology that PowerShell accelerates. IR uses PowerShell for evidence collection; this skill goes deep on the commands and scripts themselves.

Security Automation and Orchestration — Takes PowerShell automation further with Logic Apps, Azure Functions, and Sentinel integration. This skill builds the PowerShell foundation that course extends.

Endpoint Security Engineering — Uses PowerShell for configuration auditing and hardening verification. This skill teaches the PowerShell commands that course assumes you know.

About Ridgeline Skills

Skills are focused training on a single capability — practitioner-written content with the same depth standard as full Ridgeline courses. Some skills don't need 15 modules. These are the skills that do need proper treatment but don't warrant a full course.

Included with every Premium and Specialist subscription.