
How It Works
This Uncoder AI feature enables instant creation of detection queries for VMware Carbon Black Cloud using structured threat intelligence, such as that from CERT-UA#12463. In this case, Uncoder AI processes indicators associated with UAC-0099 activity and formats them into a syntactically correct domain query.
Parsed Threat Data
The source threat report includes domain names used in malicious network connections:
update.win.app.com
captcha-challenge.com
webappapiservice.life
newyorkttimes.life
Uncoder AI structures these indicators into a valid Carbon Black query:
(netconn_domain:update.win.app.com OR netconn_domain:ukr.net OR netconn_domain:captcha-challenge.com OR netconn_domain:newyorkttimes.life OR netconn_domain:webappapiservice.life
)
This syntax is designed for immediate use in the Carbon Black Cloud platform to detect malicious DNS or HTTP/S connections originating from endpoints.
Why It’s Innovative
AI-Powered Query Structuring
Uncoder AI automates both the IOC extraction and the detection rule generation. The AI understands the required schema for Carbon Black (e.g., using the netconn_domain
field), eliminating the need for analysts to manually map threat intelligence into platform-specific syntax.
Built-In Syntax Validation
A unique innovation of this feature is live AI-driven validation of the generated query:
- Ensures field-value pairs are structured using the correct delimiter (:)
- Verifies usage of logical operators (
OR
) - Aligns to the Carbon Black Cloud schema, confirming that
netconn_domain
is a valid, indexed field - Highlights possible performance considerations if OR chains are long or if datasets are large
The validation process mimics how Carbon Black Cloud parses queries — reducing chances of misconfiguration and improving confidence in deployment.
Operational Value
This feature benefits SOC teams and detection engineers by:
- Accelerating query creation for known adversary infrastructure
- Reducing errors via AI validation of syntax, logic, and schema alignment
- Enabling proactive threat hunting, especially for phishing and malware delivery domains
- Improving consistency of query formatting across analysts and teams
The query generated in this case enables Carbon Black users to detect connections to known attacker domains tied to UAC-0099 and apply enforcement or further investigation.
The post AI-Assisted Domain Detection Logic for Carbon Black in Uncoder AI appeared first on SOC Prime.