Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

Free Tools for Security Operations

Production-ready references and interactive tools extracted from across the Ridgeline course catalog. Use them during investigations, share them with your team, bookmark them for 2 AM. Every tool links to the course that teaches the full methodology behind it.

No account required. No paywall. Built for practitioners.

Investigation & Response Tools

DFIR RUNBOOKS1. TRIAGE▸ Confirm2. SCOPE▸ Map chain3. PRESERVE▸ Collect4. CONTAIN▸ Isolate5. VERIFY▸ Confirm7 incident types · 6 phases each
7 runbooks · Interactive

DFIR Investigation Runbooks

Structured response procedures for the incidents SOC analysts handle most often. Identity compromise, malware, lateral movement, BEC, ransomware, data exfiltration, and privilege escalation. Six phases per runbook: triage, scope, preserve, contain, verify, handoff.

From: Practical IR · Incident Triage · Entra ID Security
TRIAGE SCORECARDQ1Compromise evidence?Q2Multi-entity scope?Q3Active or historical?+ 5 more questionsSCORE: 0-7 FP · 8-14 TP · 15-20 CRITICAL
Interactive · 8 questions

Incident Triage Scorecard

Classify any security alert in under 5 minutes. Eight questions that produce a defensible severity classification with recommended next steps. Works for identity, endpoint, email, and network alerts across cloud, Windows, and Linux.

From: Incident Triage and First Response (TR0)
FORENSIC ARTIFACTSHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunC:\Windows\Prefetch\MIMIKATZ.EXE-A1B2C3D4.pfC:\Windows\AppCompat\Programs\Amcache.hve25 artifacts · 7 categories
25 artifacts · Searchable

Windows Forensic Artifacts Reference

Every artifact a responder needs — persistence mechanisms, execution evidence, file activity, network indicators, account usage, USB device history, and event log forensics. Registry paths, extraction tools, and what to look for.

From: Practical IR (IR3–IR5) · Incident Triage (TR3)
EVENT ID REFERENCE4624Successful Logon4625Failed Logon4688Process Creation4698Scheduled Task Created1102Audit Log Cleared40+ IDs · Security · Sysmon · PowerShell · Defender
40+ events · 12 categories

Windows Event ID Reference

The event IDs that matter for security operations — authentication, process creation, Sysmon, PowerShell, Defender, Kerberos, and more. What each event means, which log it lives in, and what to look for during an investigation.

From: Practical IR (IR5) · Endpoint Security (ES11)

Detection & Endpoint Tools

KQL QUERY LIBRARYDeviceProcessEvents| whereTimestamp > ago(1h)| whereFileName =~ "rundll32"| whereProcessCommandLinehas "comsvcs" and "MiniDump"| projectDeviceName, AccountName35+ queries · 11 ATT&CK tactics
35+ queries · Filterable

KQL Query Reference

Production KQL queries for Microsoft Sentinel and Defender XDR. Organized by ATT&CK tactic — credential access, lateral movement, persistence, defense evasion, exfiltration. Searchable, filterable, copy-ready.

From: Detection Engineering · Endpoint Security · Threat Hunting · Mastering KQL
ASR RULES REFERENCESAFE SETBlockCAREFUL SETExclusionsHIGH-RISK SETAudit only18 rules · ATT&CK mapped · FP analysis
18 rules · Categorized

ASR Rules Quick Reference

Every Attack Surface Reduction rule categorized by deployment risk — Safe, Careful, and High-Risk. Each rule includes the ATT&CK technique it defends, common false positives, recommended audit period, and deployment guidance.

From: Endpoint Security Engineering (ES4)
POWERSHELL FOR SECOPSPS>Get-Process | Where-Object{ $_.Path -match "temp" }PS>Get-NetTCPConnection-State EstablishedPS>Get-MpComputerStatus25+ commands · 9 ATT&CK tactics
25+ commands · ATT&CK mapped

PowerShell for Security Operations

The PowerShell commands defenders actually use during investigations and triage. Organized by ATT&CK tactic — discovery, persistence, credential access, lateral movement, collection, defense evasion, exfiltration, and containment actions.

From: Practical IR · Incident Triage · Endpoint Security

Setup & Reference

HOME LAB SETUPWindows11 Eval VMUbuntu24.04 LTSM365 E5Dev TenantSentinel + Defender XDR4 layers · Zero cost · All courses
Comprehensive guide

Lab Setup Guide

Build a complete security operations home lab from scratch. VMware Workstation Pro, Windows 11, Ubuntu, M365 E5 developer tenant, Azure Sentinel, and the full forensic toolchain. One setup for every Ridgeline course. Total cost: free.

Supports all 16 courses

Every tool is extracted from a Ridgeline course.

The tools give you the reference. The courses teach the methodology, judgment, and operational context. Browse All Courses or start a free module.