
How It Works
This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints.
Detection Pattern:
The KQL query performs the following actions:
- Uses the
union *
operator to query across all tables - Applies a
where
clause that filters events by theRemoteUrl
field - Matches against multiple attacker-controlled URLs such as:
"mfashara.com"
"звернення.zip"
These indicators are linked to clipboard-delivered PowerShell stealers and data exfiltration infrastructure.
On the right, Uncoder AI runs an AI-driven validation, breaking down the query syntax, field existence, and performance characteristics.
Why It’s Innovative
Traditional KQL writing requires security engineers to manually:
- Confirm syntax across datasets
- Validate that fields like
RemoteUrl
exist - Account for performance tradeoffs when using
union *
Uncoder AI automates this. It identifies:
- Whether
RemoteUrl
is universally supported across queried tables - Whether regular expressions are appropriate or inefficient
- If structural changes (e.g., reducing scope of
union
) could improve performance
AI also flags edge cases — for instance, use of non-English URLs or regex-heavy queries — ensuring the detection remains effective without slowing the system.
Operational Value / Results / Benefits
Accurate Threat Filtering
The query filters for known malicious URLs that may appear in remote PowerShell or web-based executions — matching both phishing and beaconing behavior.
Optimized Detection Design
Uncoder AI recommends structural changes (like avoiding wildcard unions or simplifying regex) to prevent performance issues in large production datasets.
SOC-Ready Validation
Before deploying to production, analysts receive clear signals on field presence, schema compatibility, and testing best practices — all guided by AI.
The post URL-Based IOC Validation for Microsoft Defender KQL appeared first on SOC Prime.