Ridgeline releases SOC toolset

Ridgeline Cyber has published a free toolkit for security operations center analysts, bundling investigation runbooks, query packs, forensic references, and lab setup guides. (training.ridgelinecyber.com) The collection is live on Ridgeline’s training site and is available without an account or paywall, according to the company’s tools page. It includes more than 35 production Kusto Query Language queries for Microsoft Sentinel and Defender XDR, plus an Attack Surface Reduction rules reference and an eight-question triage scorecard. (training.ridgelinecyber.com) Ridgeline also published seven digital forensics and incident response runbooks for identity compromise, malware infection, lateral movement, business email compromise, ransomware, data exfiltration, and privilege escalation. Each runbook walks analysts through triage, evidence collection, scoping queries, containment actions, and handoff requirements. (training.ridgelinecyber.com) For Windows investigations, the company added a searchable artifact reference covering more than 25 artifacts across seven categories, including persistence, execution evidence, file activity, network indicators, USB history, and event logs. Each entry lists the registry path or file location, extraction tool, and the investigative question it can answer. (training.ridgelinecyber.com) A security operations center is the team that watches alerts and investigates suspicious activity, and these toolkits target the repetitive work that often slows junior analysts first. Ridgeline’s own description frames the materials as “production-ready” references that can be used during live investigations and shared across teams. (training.ridgelinecyber.com) The package also reflects the way many security teams now split their work between endpoint evidence and cloud logs. Ridgeline’s downloads page includes 10 threat-hunting queries, 29 Sentinel analytics rules, and five investigation playbooks focused on Microsoft 365 attack paths such as adversary-in-the-middle phishing, token replay, consent phishing, and insider-threat exfiltration. (training.ridgelinecyber.com) The lab guide is aimed at analysts who need a practice environment before they touch production systems. Ridgeline says the setup uses VMware Workstation Pro, Windows 11, Ubuntu, a Microsoft 365 E5 developer tenant, Azure Sentinel, and free tools including Kroll Artifact Parser and Extractor, Eric Zimmerman Tools, Volatility 3, Sysmon, and Velociraptor. (training.ridgelinecyber.com) In a free training module tied to the toolkit, Ridgeline says a clean workstation can be prepared in 90 to 120 minutes and that the setup covers Kroll Artifact Parser and Extractor for triage collection, Velociraptor for remote evidence collection, Volatility 3 for memory analysis, and PowerShell remoting for native response. The company says paid enterprise alternatives such as Splunk, Magnet AXIOM Cyber, and Binalyze AIR are discussed but not required. (training.ridgelinecyber.com) Ridgeline has also been using the same no-signup model for other free materials on its main site, including incident response plans, risk registers, and policy templates. This release extends that approach into day-to-day analyst workflows: what to check first, which logs to query, and how to build a lab before the 2 a.m. alert arrives. (ridgelinecyber.com)