AI-Assisted Domain Detection Logic for Carbon Black in Uncoder AI

How It Works

This Uncoder AI feature enables instant creation of detection queries for VMware Carbon Black Cloud using structured threat intelligence, such as that from CERT-UA#12463. In this case, Uncoder AI processes indicators associated with UAC-0099 activity and formats them into a syntactically correct domain query.

Parsed Threat Data

The source threat report includes domain names used in malicious network connections:

  • update.win.app.com
  • captcha-challenge.com
  • webappapiservice.life
  • newyorkttimes.life
    Uncoder AI structures these indicators into a valid Carbon Black query:

(netconn_domain:update.win.app.com OR netconn_domain:ukr.net OR netconn_domain:captcha-challenge.com OR netconn_domain:newyorkttimes.life OR netconn_domain:webappapiservice.life)

Explore Uncoder AI

This syntax is designed for immediate use in the Carbon Black Cloud platform to detect malicious DNS or HTTP/S connections originating from endpoints.

Why It’s Innovative

AI-Powered Query Structuring

Uncoder AI automates both the IOC extraction and the detection rule generation. The AI understands the required schema for Carbon Black (e.g., using the netconn_domain field), eliminating the need for analysts to manually map threat intelligence into platform-specific syntax.

Built-In Syntax Validation

A unique innovation of this feature is live AI-driven validation of the generated query:

  • Ensures field-value pairs are structured using the correct delimiter (:)
  • Verifies usage of logical operators (OR)
  • Aligns to the Carbon Black Cloud schema, confirming that netconn_domain is a valid, indexed field
  • Highlights possible performance considerations if OR chains are long or if datasets are large

The validation process mimics how Carbon Black Cloud parses queries — reducing chances of misconfiguration and improving confidence in deployment.

Operational Value

This feature benefits SOC teams and detection engineers by:

  • Accelerating query creation for known adversary infrastructure
  • Reducing errors via AI validation of syntax, logic, and schema alignment
  • Enabling proactive threat hunting, especially for phishing and malware delivery domains
  • Improving consistency of query formatting across analysts and teams

The query generated in this case enables Carbon Black users to detect connections to known attacker domains tied to UAC-0099 and apply enforcement or further investigation.

Explore Uncoder AI

The post AI-Assisted Domain Detection Logic for Carbon Black in Uncoder AI appeared first on SOC Prime.