IOC Query Generation for Microsoft Sentinel in Uncoder AI – Source: socprime.com

How It Works

1. IOC Parsing from Threat Report

Uncoder AI automatically identifies and extracts key observables from the threat report, including:

• Malicious domains like:
  
  • docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com
    
  • mail.zhblz.com
    
  • doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com
    

These IOCs are used by the adversary for phishing and staging access to victim mailboxes.

Explore Uncoder AI

2. Sentinel-Compatible KQL Generation

On the right, Uncoder AI outputs a Microsoft Sentinel search query using the search operator:

search (@"docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com" 

     or @"mail.zhblz.com" 

     or @"doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com")

• Search Scope: This pattern searches across all logs ingested in Sentinel (e.g., DNS, proxy, firewall, Defender, etc.).
  
• Use of @”” syntax: This ensures special characters in domain names are properly parsed and matched without query errors.
  

Why It’s Valuable

• Instantly operational: Analysts can paste this query directly into Microsoft Sentinel’s Logs workspace for threat hunting or investigation.
  
• No manual formatting: Long or obfuscated domains are handled cleanly and safely by Uncoder AI’s syntax model.
  

Scalable: Easily extendable to include additional IOCs, file hashes, or IPs if needed.

Operational Use Cases

Security teams can use this feature to:

• Identify connections to attacker-controlled phishing infrastructure
  
• Correlate endpoint behavior with DNS queries or web access logs
  
• Quickly pivot from threat intel to detection, reducing dwell time
  

Whether responding to a phishing alert or proactively hunting for APT activity, this feature helps SOC teams move from analysis to detection in seconds.

Explore Uncoder AI