URL-Based IOC Validation for Microsoft Defender KQL

Posted on

How It Works

This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints.

Detection Pattern:

The KQL query performs the following actions:

  • Uses the union * operator to query across all tables
  • Applies a where clause that filters events by the RemoteUrl field
  • Matches against multiple attacker-controlled URLs such as:
    • "mfashara.com"
    • "звернення.zip"

These indicators are linked to clipboard-delivered PowerShell stealers and data exfiltration infrastructure.

On the right, Uncoder AI runs an AI-driven validation, breaking down the query syntax, field existence, and performance characteristics.

Explore Uncoder AI

Why It’s Innovative

Traditional KQL writing requires security engineers to manually:

  • Confirm syntax across datasets
  • Validate that fields like RemoteUrl exist
  • Account for performance tradeoffs when using union *

Uncoder AI automates this. It identifies:

  • Whether RemoteUrl is universally supported across queried tables
  • Whether regular expressions are appropriate or inefficient
  • If structural changes (e.g., reducing scope of union) could improve performance

AI also flags edge cases — for instance, use of non-English URLs or regex-heavy queries — ensuring the detection remains effective without slowing the system.

Explore Uncoder AI

Operational Value / Results / Benefits

Accurate Threat Filtering

The query filters for known malicious URLs that may appear in remote PowerShell or web-based executions — matching both phishing and beaconing behavior.

Optimized Detection Design

Uncoder AI recommends structural changes (like avoiding wildcard unions or simplifying regex) to prevent performance issues in large production datasets.

SOC-Ready Validation

Before deploying to production, analysts receive clear signals on field presence, schema compatibility, and testing best practices — all guided by AI.

The post URL-Based IOC Validation for Microsoft Defender KQL appeared first on SOC Prime.

Related Posts