
How It Works
1. IOC Parsing from Threat Report
Uncoder AI automatically identifies and extracts key observables from the threat report, including:
- Malicious domains like:
docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com
mail.zhblz.com
doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com
These IOCs are used by the adversary for phishing and staging access to victim mailboxes.
2. Sentinel-Compatible KQL Generation
On the right, Uncoder AI outputs a Microsoft Sentinel search query using the search
operator:
search (@"docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com"
or @"mail.zhblz.com"
or @"doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com")
- Search Scope: This pattern searches across all logs ingested in Sentinel (e.g., DNS, proxy, firewall, Defender, etc.).
- Use of @”” syntax: This ensures special characters in domain names are properly parsed and matched without query errors.
Why It’s Valuable
- Instantly operational: Analysts can paste this query directly into Microsoft Sentinel’s Logs workspace for threat hunting or investigation.
- No manual formatting: Long or obfuscated domains are handled cleanly and safely by Uncoder AI’s syntax model.
Scalable: Easily extendable to include additional IOCs, file hashes, or IPs if needed.
Operational Use Cases
Security teams can use this feature to:
- Identify connections to attacker-controlled phishing infrastructure
- Correlate endpoint behavior with DNS queries or web access logs
- Quickly pivot from threat intel to detection, reducing dwell time
Whether responding to a phishing alert or proactively hunting for APT activity, this feature helps SOC teams move from analysis to detection in seconds.
The post IOC Query Generation for Microsoft Sentinel in Uncoder AI appeared first on SOC Prime.