URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com

How It Works

This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints.

Detection Pattern:

The KQL query performs the following actions:

• Uses the union * operator to query across all tables
  
• Applies a where clause that filters events by the RemoteUrl field
  
• Matches against multiple attacker-controlled URLs such as:
  
  • "mfashara.com"
  • "звернення.zip"
    

These indicators are linked to clipboard-delivered PowerShell stealers and data exfiltration infrastructure.

On the right, Uncoder AI runs an AI-driven validation, breaking down the query syntax, field existence, and performance characteristics.

Explore Uncoder AI

Why It’s Innovative

Traditional KQL writing requires security engineers to manually:

• Confirm syntax across datasets
  
• Validate that fields like RemoteUrl exist
  
• Account for performance tradeoffs when using union *
  

Uncoder AI automates this. It identifies:

• Whether RemoteUrl is universally supported across queried tables
  
• Whether regular expressions are appropriate or inefficient
  
• If structural changes (e.g., reducing scope of union) could improve performance
  

AI also flags edge cases — for instance, use of non-English URLs or regex-heavy queries — ensuring the detection remains effective without slowing the system.

Explore Uncoder AI

Operational Value / Results / Benefits

Accurate Threat Filtering

The query filters for known malicious URLs that may appear in remote PowerShell or web-based executions — matching both phishing and beaconing behavior.

Optimized Detection Design

Uncoder AI recommends structural changes (like avoiding wildcard unions or simplifying regex) to prevent performance issues in large production datasets.

SOC-Ready Validation

Before deploying to production, analysts receive clear signals on field presence, schema compatibility, and testing best practices — all guided by AI.