
How It Works
1. IOC Extraction from Threat Report
Uncoder AI automatically parses and categorizes indicators from the incident report (on the left), including:
- Malicious domains, such as:
mail.zhblz.com
docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com
doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com
These domains are linked to phishing documents, spoofed login portals, and data exfiltration endpoints.
2. SentinelOne-Compatible Query Generation
On the right, Uncoder AI outputs a SentinelOne Event query using the DNS in contains anycase syntax:
DNS in contains anycase (
"docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com",
"mail.zhblz.com",
"doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com"
)
- Operator: contains anycase ensures detection is case-insensitive, handling DNS log variations.
- Field: DNS targets resolution events, ideal for uncovering domain lookups tied to malware or phishing links.
Use case: Investigate DNS queries initiated by powershell.exe
, browser.ps1
, or zapit.exe
.
Why It’s Useful
- Zero formatting effort: Long subdomain chains are auto-formatted for proper matching.
- Instant IOC deployment: Analysts can run the query directly in SentinelOne to identify infected hosts or beaconing behavior.
High signal-to-noise: Focuses only on attacker-owned infrastructure, minimizing false positives.
Operational Benefits
For SentinelOne users, this feature allows:
- Faster Threat Hunting
No need to manually build domain queries — Uncoder AI does it from any threat report. - Immediate IOC Enforcement
Block or alert on DNS queries that match high-confidence APT infrastructure.
SOC Efficiency
Speeds up response time by eliminating guesswork and reducing query writing overhead.
The post IOC-to-Query Conversion for SentinelOne in Uncoder AI appeared first on SOC Prime.