URL-Based IOC Validation for Microsoft Defender KQL – Technology Security Information

How It Works

This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints.

Detection Pattern:

The KQL query performs the following actions:

Uses the union * operator to query across all tables
Applies a where clause that filters events by the RemoteUrl field
Matches against multiple attacker-controlled URLs such as:
- "mfashara.com"
- "звернення.zip"

These indicators are linked to clipboard-delivered PowerShell stealers and data exfiltration infrastructure.

On the right, Uncoder AI runs an AI-driven validation, breaking down the query syntax, field existence, and performance characteristics.

Explore Uncoder AI

Why It’s Innovative

Traditional KQL writing requires security engineers to manually:

Confirm syntax across datasets
Validate that fields like RemoteUrl exist
Account for performance tradeoffs when using union *

Uncoder AI automates this. It identifies:

Whether RemoteUrl is universally supported across queried tables
Whether regular expressions are appropriate or inefficient
If structural changes (e.g., reducing scope of union) could improve performance

AI also flags edge cases — for instance, use of non-English URLs or regex-heavy queries — ensuring the detection remains effective without slowing the system.

Explore Uncoder AI

Operational Value / Results / Benefits

Accurate Threat Filtering

The query filters for known malicious URLs that may appear in remote PowerShell or web-based executions — matching both phishing and beaconing behavior.

Optimized Detection Design

Uncoder AI recommends structural changes (like avoiding wildcard unions or simplifying regex) to prevent performance issues in large production datasets.

SOC-Ready Validation

Before deploying to production, analysts receive clear signals on field presence, schema compatibility, and testing best practices — all guided by AI.

The post URL-Based IOC Validation for Microsoft Defender KQL appeared first on SOC Prime.

How It Works

Detection Pattern:

Why It’s Innovative

Operational Value / Results / Benefits

Accurate Threat Filtering

Optimized Detection Design

SOC-Ready Validation

Related Posts

UAC-0185 aka UNC4221 Attack Detection: Hackers Target the Ukrainian Defense Forces and Military-Industrial Complex

Driving Business Growth in Turbulent Times from the Perspective of SOC Prime’s Director of People and Culture: Part II

Secret Blizzard Attack Detection: The russia-Linked APT Group Targets Ukraine via Amadey Malware to Deploy the Updated Kazuar Backdoor Version

How to Deal with the Warning: “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”