KeMeT Tech
Free download

Six production Sentinel KQL rules. MIT licensed.

Identity, AWS, Defender XDR coverage. Every rule maps to a MITRE ATT&CK technique, ships with a documented noise profile, and has run in at least one production tenant for thirty days.

Download the pack (.zip, ~11 KB)Or view on GitHub →Get monthly field notes →

No email gate. No signup. The zip is the zip.

What's inside

Six rules. Six attack techniques covered.

  • entra-impossible-token-replay.kql

    Catches OAuth refresh-token replay across geographies. T1078.004 + T1550.

  • graph-mass-permission-grant.kql

    Flags a principal granting high-impact Graph scopes tenant-wide. T1098.003.

  • defender-encoded-powershell-non-it.kql

    EncodedCommand PowerShell from a non-IT principal, SID-filtered. T1059.001.

  • activity-policy-change-outside-window.kql

    Azure Policy changes outside the documented change window. T1562.001.

  • aws-cloudtrail-console-login-new-ip-no-mfa.kql

    AWS console login without MFA from a never-seen IP. T1078.004.

  • sentinel-incident-fanout-dedupe.kql

    Deduplicates Defender-XDR-sourced incidents so SOAR fan-out stays clean.

Questions

The four people ask first.

What does this cost?
Nothing. MIT licensed. Use it, fork it, ship it. The pack exists because every detection engagement we close ends with the client owning these rules in their repo. Open-sourcing the starter set is cheaper than re-explaining the noise tuning on every kickoff call.
Will it work without the M365D connector?
Three rules need it. Three do not. Every rule's header comment lists the exact tables it queries, so missing-table errors surface immediately rather than silently doing nothing.
Do I have to give you my email?
No. The download is one click below. The email field is optional and only feeds the monthly field notes if you want them.
What if a rule misfires in my tenant?
Every rule has a TUNE: block in the header naming the parameters that matter. If you hit a noise pattern not covered by the TUNE block, email support@kemettech.net with the false-positive sample and we will publish the fix.

Want the full detection-engineering engagement?

The pack is the first six rules. A typical engagement ships forty to sixty rules tuned to your tenant, plus SOAR playbooks and a rule retirement plan for whatever your incumbent SIEM is muting today.

See the detection engagement →