URL-Based IOC Validation for Microsoft Defender KQL

[post-views]
June 05, 2025 · 2 min read
URL-Based IOC Validation for Microsoft Defender KQL

How It Works

This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints.

Detection Pattern:

The KQL query performs the following actions:

  • Uses the union * operator to query across all tables
  • Applies a where clause that filters events by the RemoteUrl field
  • Matches against multiple attacker-controlled URLs such as:
    • "mfashara.com"
    • "звернення.zip"

These indicators are linked to clipboard-delivered PowerShell stealers and data exfiltration infrastructure.

On the right, Uncoder AI runs an AI-driven validation, breaking down the query syntax, field existence, and performance characteristics.

Explore Uncoder AI

Why It’s Innovative

Traditional KQL writing requires security engineers to manually:

  • Confirm syntax across datasets
  • Validate that fields like RemoteUrl exist
  • Account for performance tradeoffs when using union *

Uncoder AI automates this. It identifies:

  • Whether RemoteUrl is universally supported across queried tables
  • Whether regular expressions are appropriate or inefficient
  • If structural changes (e.g., reducing scope of union) could improve performance

AI also flags edge cases — for instance, use of non-English URLs or regex-heavy queries — ensuring the detection remains effective without slowing the system.

Explore Uncoder AI

Operational Value / Results / Benefits

Accurate Threat Filtering

The query filters for known malicious URLs that may appear in remote PowerShell or web-based executions — matching both phishing and beaconing behavior.

Optimized Detection Design

Uncoder AI recommends structural changes (like avoiding wildcard unions or simplifying regex) to prevent performance issues in large production datasets.

SOC-Ready Validation

Before deploying to production, analysts receive clear signals on field presence, schema compatibility, and testing best practices — all guided by AI.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts