Visualizing Sensitive File Discovery in Google SecOps with Uncoder AI’s Decision Tree

Posted on

In today’s hybrid environments, legitimate tools like Notepad can be silently used to view or stage sensitive data such as password files—especially by insiders or low-and-slow threat actors. While Google SecOps (UDM) supports highly specific detections, the logic behind them is often layered and complex.

That’s why Uncoder AI’s AI-generated Decision Tree has become an essential asset—helping analysts not just read, but understand and act on detection logic faster.

Explore Uncoder AI

Detection Focus: Password File Access via Notepad

This rule tracks when:

  • A process launch is triggered by explorer.exe
  • The launched process is notepad.exe
  • The command line references filenames containing “password” with extensions like .txt, .csv, .doc, or .xls
Input we used (click to show the text)
metadata.event_type = “PROCESS_LAUNCH” and principal.process.file.full_path = /.*\explorer.exe$/ nocase and target.process.file.full_path = /.*\notepad.exe$/ nocase and (target.process.command_line = /.*password*.txt$/ nocase or target.process.command_line = /.*password*.csv$/ nocase or target.process.command_line = /.*password*.doc$/ nocase or target.process.command_line = /.*password*.xls$/ nocase)

Such patterns could signal:

  • Insider access to plaintext credentials
  • Unauthorized snooping of exported password lists
  • Misuse of basic OS tools for reconnaissance or data leakage

How AI-generated Decision Tree Helped

Uncoder AI automatically transformed the UDM query into a structured logic tree, revealing:

  • Event Type Check – Only PROCESS_LAUNCH events are considered
  • Parent Process Filter – Must be explorer.exe (the user manually opens the file)
  • Launched Process Filter – Must be notepad.exe
  • Filename Match – Command line must include terms like password.txt, password.csv, etc.

Each branch of the logic is clearly explained, with regex patterns visualized as OR conditions under a single node. This reduces friction in understanding and documenting what’s being detected—and why.

AI Output (click to show the text)
The condition part of this Google SecOps Query can be broken down into a decision tree as follows:

1. **Root Node**: `metadata.event_type = “PROCESS_LAUNCH”`
– This is the initial filter, ensuring that only events related to process launches are considered.

2. **First Branching Node**: `principal.process.file.full_path = /.*\explorer.exe$/ nocase`
– From the processes launched, this condition further filters those where the launching process (principal) is explorer.exe.
– The `nocase` flag makes the matching case-insensitive.

3. **Second Branching Node**: `target.process.file.full_path = /.*\notepad.exe$/ nocase`
– This narrows down the events to those where the target process (the one being launched) is notepad.exe.
– Like before, `nocase` ensures case-insensitive matching.

4. **Third Branching Node (Composite Condition)**:
– `(target.process.command_line = /.*password*.txt$/ nocase or target.process.command_line = /.*password*.csv$/ nocase or target.process.command_line = /.*password*.doc$/ nocase or target.process.command_line = /.*password*.xls$/ nocase)`
   – This condition checks if the command line of the notepad.exe process contains references to files with names including “password” followed by .txt, .csv, .doc, or .xls extensions (case-insensitive).
  – **Or Conditions**:
     – `target.process.command_line = /.*password*.txt$/ nocase`
     – `target.process.command_line = /.*password*.csv$/ nocase`
     – `target.process.command_line = /.*password*.doc$/ nocase`
     – `target.process.command_line = /.*password*.xls$/ nocase`
  – The decision tree here is a logical OR, meaning any of these conditions being true will satisfy the overall condition.

**Decision Tree Logic**:
– Start with all process launch events.
– Filter to only those launched by explorer.exe.
– Further filter to only those launching notepad.exe.
– Finally, check if notepad.exe’s command line indicates it is opening a file with “password” in its name and one of the specified extensions (.txt, .csv, .doc, .xls).

**Outcome**:
The query identifies potential security risks where sensitive files (those containing passwords) are being opened by notepad.exe, launched from explorer.exe, indicating possible unauthorized access or mishandling of password information.

Why This Matters

Security teams investigating credential misuse or potential insider threats often struggle to explain how a detection rule actually works. With Uncoder AI, the guesswork is gone.

The result?

  • Faster analyst ramp-up
  • Cleaner detection documentation
  • More confident incident triage and escalation

Whether you’re threat hunting or validating compliance, understanding who opened password.xls from explorer.exe via Notepad can make or break your investigation.

From Query to Clarity, Seamlessly

Google SecOps offers powerful detection capabilities—and with Uncoder AI’s AI-generated Decision Tree, those capabilities become transparent, teachable, and deployable across any SOC.

Explore Uncoder AI

The post Visualizing Sensitive File Discovery in Google SecOps with Uncoder AI’s Decision Tree appeared first on SOC Prime.

Related Posts