
How It Works
1. IOC Extraction from Threat Reports
Uncoder AI automatically parses structured threat reports to extract:
- Domains and subdomains (e.g., mail.zhblz.com, doc.gmail.com.gyehdhhrggdi…)
- URLs and paths from phishing and payload delivery servers
- Related IPs, hashes, and filenames (seen on the left)
This saves significant manual effort compared to copying and normalizing IOCs from multiple sources.
2. Auto-Formatted UDM Query Generation
In the right panel, Uncoder AI outputs a Google SecOps-ready query using the UDM field target.hostname
,
matching the extracted domains:
target.hostname
= "docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com"
or target.hostname
= "mail.zhblz.com"
or target.hostname
= "doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com"
These domains are associated with the adversary’s staging infrastructure, phishing pages, or C2 communication endpoints.
This format is immediately usable in Google SecOps Search to:
- Hunt for previous DNS resolutions or network connections
- Build detection rules or custom dashboards
- Investigate suspected activity based on domain observables
Why It’s Valuable
- Saves Time: No need to manually format IOC lists — domain values are automatically inserted into valid query syntax
- Reduces Errors: Proper use of UDM field names ensures compatibility with Chronicle’s detection engine
- Actionable Immediately: Security teams can pivot from a threat report to actual telemetry search in seconds
Operational Use Cases
Security analysts and threat hunters can use this feature to:
- Detect phishing campaign callbacks tied to fake Google Docs or OWA pages
- Monitor traffic to attacker-controlled infrastructure tied to credential thefΩ
- Respond to incidents with pre-verified domain matches across endpoint and network logs
From clipboard-based payloads to fake login portals, Uncoder AI empowers Google SecOps teams to transform threat intelligence into structured, high-fidelity detections — instantly.
The post IOC-to-Query Generation for Google SecOps (Chronicle) in Uncoder AI appeared first on SOC Prime.