IOC Query Generation for Microsoft Sentinel in Uncoder AI

Steven Edwards Technical Writer

Add to my AI research

How It Works

1. IOC Parsing from Threat Report

Uncoder AI automatically identifies and extracts key observables from the threat report, including:

Malicious domains like:
- docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com
- mail.zhblz.com
- doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com

These IOCs are used by the adversary for phishing and staging access to victim mailboxes.

Explore Uncoder AI

2. Sentinel-Compatible KQL Generation

On the right, Uncoder AI outputs a Microsoft Sentinel search query using the search operator:

search (@"docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com"

or @"mail.zhblz.com"

or @"doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com")

Search Scope: This pattern searches across all logs ingested in Sentinel (e.g., DNS, proxy, firewall, Defender, etc.).
Use of @”” syntax: This ensures special characters in domain names are properly parsed and matched without query errors.

Why It’s Valuable

Instantly operational: Analysts can paste this query directly into Microsoft Sentinel’s Logs workspace for threat hunting or investigation.
No manual formatting: Long or obfuscated domains are handled cleanly and safely by Uncoder AI’s syntax model.

Scalable: Easily extendable to include additional IOCs, file hashes, or IPs if needed.

Operational Use Cases

Security teams can use this feature to:

Identify connections to attacker-controlled phishing infrastructure
Correlate endpoint behavior with DNS queries or web access logs
Quickly pivot from threat intel to detection, reducing dwell time

Whether responding to a phishing alert or proactively hunting for APT activity, this feature helps SOC teams move from analysis to detection in seconds.