Full Report
How It Works 1. IOC Parsing from Threat Report Uncoder AI automatically identifies and extracts key observables from the threat report, including: Malicious domains like: docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com mail.zhblz.com doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com These IOCs are used by the adversary for phishing and staging access to victim mailboxes. Explore Uncoder AI 2. Sentinel-Compatible KQL Generation On the right, Uncoder AI […] The post IOC Query Generation for Microsoft Sentinel in Uncoder AI appeared first on SOC Prime.
Analysis Summary
Since the provided context describes a feature of a tool (Uncoder AI) for generating IOC queries for Microsoft Sentinel, rather than documenting a specific piece of malware or a standalone attack technique, the summary will focus on the tool and its associated operational procedures.
# Tool/Technique: IOC Query Generation for Microsoft Sentinel in Uncoder AI
## Overview
This is a capability within the Uncoder AI platform (part of SOC Prime's Detection Engineering Suite) designed to streamline threat intelligence consumption by automatically converting Indicators of Compromise (IOCs) extracted from threat reports directly into executable Kusto Query Language (KQL) queries compatible with Microsoft Sentinel.
## Technical Details
- Type: Tool Feature / Procedure Enhancement
- Platform: Microsoft Sentinel (KQL)
- Capabilities: IOC parsing, automatic KQL query generation, handling of obfuscated indicators.
- First Seen: Information not provided in the text, but the feature is documented as of May 23, 2025.
## MITRE ATT&CK Mapping
This feature facilitates the *application* of threat intelligence discovered through various means. While not a direct attacker TTP, it strongly supports defensive actions mapped to the **Detect** tactic:
- **TA0009 - Collection** (Indirectly, by facilitating the collection of evidence based on IOCs)
- **T1005 - Data from Local System** (If used to search local/endpoint logs via Sentinel integration)
- **TA0011 - Command and Control** (Indirectly, by facilitating the detection of C2 communication)
- **T1071 - Application Layer Protocol** (By querying web access/DNS logs for related IOCs)
*Note: The focus here is on the defensive action enabled by the tool, not an initial access or execution TTP.*
## Functionality
### Core Capabilities
- **IOC Parsing:** Automatically extracts IOCs (which may include file hashes, domains, or IPs) from pasted threat intelligence reports.
- **KQL Generation:** Converts parsed IOCs into syntactically correct and instantly operational KQL queries formatted specifically for Microsoft Sentinel's Logs workspace.
- **Safe Formatting:** Handles long or obfuscated domains safely according to Sentinel's required syntax models.
### Advanced Features
- **Instant Operational Use:** Queries can be immediately pasted and executed in Sentinel for threat hunting or investigation.
- **Scalability:** The generated queries are easily extendable to incorporate additional IOCs.
## Indicators of Compromise
This feature **processes** IOCs but does not intrinsically generate them. The output indicators are derived directly from the user-supplied threat report.
- File Hashes: [Derived from input]
- File Names: [Derived from input]
- Registry Keys: [Derived from input]
- Network Indicators: [Defanged domains/IPs, handled safely within the generated KQL]
- Behavioral Indicators: [Facilitates correlation of behaviors (e.g., DNS queries, web access logs) against known IOCs]
## Associated Threat Actors
This tool is used by **Defensive Security Teams (SOC Analysts, Threat Hunters, Detection Engineers)** to combat threats posed by various actors, including APT groups mentioned in ingested threat reports. No specific threat actors are tied directly to the tool itself.
## Detection Methods
Detection is not the primary function; rather, the tool **enables** detection across Microsoft Sentinel.
- Signature-based detection: N/A (Tool generates signatures/queries, not the signatures themselves)
- Behavioral detection: N/A
- YARA rules if available: N/A
## Mitigation Strategies
The tool itself is a defensive asset aimed at speeding up the response phase.
- Prevention measures: Ensure robust data ingestion pipelines are configured for Microsoft Sentinel.
- Hardening recommendations: Optimize Sentinel log retention and indexing policies for efficient threat hunting.
## Related Tools/Techniques
- **Uncoder.IO:** The underlying technology platform for rule conversion.
- **Sigma/YARA/Splunk SPL:** Uncoder AI generally supports conversion across various formats, suggesting a link to other standardized detection languages.
- **Microsoft Sentinel:** The target SIEM platform utilizing Kusto Query Language (KQL).