
How It Works
This Uncoder AI feature generates a broad-spectrum KQL detection query for Microsoft Sentinel, based on indicators from CERT-UA#14045 (DarkCrystal RAT). The AI processes a threat report and outputs a query to search logs for strings such as:
"Розпорядження.zip"
– a suspicious Ukrainian-language file name used to disguise malware"imgurl.ir"
– a known malicious domain associated with command-and-control infrastructure
The query syntax:
search
(@"Розпорядження.zip"
or @"imgurl.ir"
)
uses the search operator to identify any mention of these IOCs across all available data tables and fields in Microsoft Sentinel.
The query is constructed using KQL verbatim string literals (@””) to ensure exact pattern matching without escape sequences — crucial for multilingual or obfuscated filenames.
Why It’s Innovative
Rather than relying on manual IOC integration or crafting field-specific logic, Uncoder AI uses NLP and LLMs to extract high-confidence indicators from raw threat reports. It then instantly generates a query applying:
- Proper KQL formatting (e.g., verbatim string syntax)
- Logical structure using the or operator for multi-indicator coverage
- Microsoft Sentinel syntax compatibility without needing user intervention
This greatly reduces the overhead for analysts who previously had to translate threat intel into valid Sentinel queries themselves.
Operational Value / Results / Benefits
Broad IOC Discovery
The query enables fast triage for environments possibly affected by DarkCrystal RAT activity. It can detect log traces of:
- Archive downloads and other event types containing
"Розпорядження.zip"
- DNS resolutions or HTTP traffic involving
"imgurl.ir"
Accelerated Detection Engineering
Uncoder AI eliminates the guesswork in query assembly, ensuring:
- Detection logic is instantly usable within Microsoft Sentinel
- Indicators from multilingual or obfuscated payloads are not lost in translation
Improved SOC Efficiency
By allowing direct paste-to-query capability, the AI-driven output enables faster incident response, enrichment, and detection logic authoring.
The post Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI appeared first on SOC Prime.