Uncoder AI의 결정 트리를 사용하여 Google SecOps에서 민감한 파일 검색 시각화

작성자

Steven Edwards

기술 작가

[post-views]

4월 24, 2025 · 4 분 읽기

Uncoder AI의 결정 트리를 사용하여 Google SecOps에서 민감한 파일 검색 시각화

오늘날의 하이브리드 환경에서는 메모장과 같은 합법적인 도구가 내부자 또는 저속 위협 행위자에 의해 비밀번호 파일과 같은 민감한 데이터를 조회하거나 준비하는 데 조용히 사용될 수 있습니다. 반면 구글 SecOps (UDM) 는 매우 구체적인 탐지를 지원하지만, 그 뒤의 논리는 종종 복잡하고 층이 있습니다.

그래서 Uncoder AI의 AI 생성 의사 결정 트리 는 분석가들이 단순히 읽을 뿐만 아니라 탐지 논리를 이해하고 행동하도록 돕는 필수 자산이 되었습니다 더 빠르게.

Uncoder AI 탐험하기

탐지 포커스: 메모장을 통한 비밀번호 파일 액세스

이 규칙은 다음과 같이 추적합니다:

프로세스 시작이 트리거되는 경우 explorer.exe
시작된 프로세스가 notepad.exe
명령줄이 포함하는 파일 이름 참조 “password” 와 같은 확장자 .txt, .csv, .doc, 또는 .xls

우리가 사용한 입력값 (클릭하여 텍스트 표시)

metadata.event_type = “PROCESS_LAUNCH” and principal.process.file.full_path = /.*\\explorer\.exe$/ nocase and target.process.file.full_path = /.*\\notepad\.exe$/ nocase and (target.process.command_line = /.*password*\.txt$/ nocase or target.process.command_line = /.*password*\.csv$/ nocase or target.process.command_line = /.*password*\.doc$/ nocase or target.process.command_line = /.*password*\.xls$/ nocase)

Such patterns could signal:

내부자의 평문 자격증명 액세스
내보낸 비밀번호 목록의 무단 엿보기
기본 OS 도구의 오용에 의한 정찰 또는 데이터 유출

AI 생성 의사 결정 트리가 어떻게 도움을 주었는가

Uncoder AI는 UDM 쿼리를 구조화된 논리 트리로 자동 변환하여 드러냅니다:

이벤트 유형 확인 – PROCESS_LAUNCH 이벤트만 고려
부모 프로세스 필터 – 반드시 explorer.exe (사용자가 수동으로 파일을 엽니다)
실행된 프로세스 필터 – 반드시 notepad.exe 이어야 합니다
파일 이름 일치 – 명령줄에는 다음과 같은 용어가 포함되어야 합니다 password.txt, password.csv등이.

논리의 각 가지는 명확히 설명되며, 정규 표현식 패턴은 단일 노드 아래의 OR 조건으로 시각화됩니다. 이는 탐지되는 것을 이해하고 문서화하는 마찰을 줄입니다—그리고 왜.

AI 출력 결과 (클릭하여 텍스트 표시)

이 Google SecOps 쿼리의 조건 부분은 다음과 같은 결정 트리 구조로 분해할 수 있습니다:

루트 노드: metadata.event_type = “PROCESS_LAUNCH”

이 필터는 프로세스 실행과 관련된 이벤트만을 대상으로 설정하는 초기 조건입니다.

첫 번째 분기 노드: principal.process.file.full_path = /.*\explorer.exe$/ nocase

실행된 프로세스 중에서, 시작 프로세스(principal)가 explorer.exe인 경우만을 필터링합니다.

nocase 플래그는 대소문자를 구분하지 않도록 설정합니다.

두 번째 분기 노드: target.process.file.full_path = /.*\notepad.exe$/ nocase

이 조건은 대상 프로세스(실제로 실행되는 프로세스)가 notepad.exe인 경우로 이벤트를 좁힙니다.

마찬가지로 nocase를 통해 대소문자 구분 없이 일치 여부를 확인합니다.

세 번째 분기 노드 (복합 조건):

(target.process.command_line = /.*password*.txt$/ nocase or target.process.command_line = /.*password*.csv$/ nocase or target.process.command_line = /.*password*.doc$/ nocase or target.process.command_line = /.*password*.xls$/ nocase)
  – 이 조건은 notepad.exe 프로세스의 커맨드라인에 “password”가 포함된 파일명이 있으며, 해당 파일이 .txt, .csv, .doc, .xls 중 하나의 확장자를 가지는지를 확인합니다 (대소문자 구분 없음).
  – OR 조건 목록:
    – target.process.command_line = /.*password*.txt$/ nocase
    – target.process.command_line = /.*password*.csv$/ nocase
    – target.process.command_line = /.*password*.doc$/ nocase
    – target.process.command_line = /.*password*.xls$/ nocase
  – 이 결정 트리는 논리적 OR 조건에 기반하며, 위 조건 중 하나라도 충족되면 전체 조건이 만족됩니다.

결정 트리 로직 요약
모든 프로세스 실행 이벤트에서 시작

explorer.exe가 시작한 프로세스만 필터링

그중에서 notepad.exe가 실행된 경우만 선별

마지막으로, 해당 notepad.exe 인스턴스가 “password”를 포함하고 .txt, .csv, .doc, .xls 확장자를 가진 파일을 열고 있는지 확인

결과 해석
이 쿼리는 explorer.exe를 통해 실행된 notepad.exe가 패스워드 관련 민감한 파일을 열고 있는 상황을 식별합니다. 이는 무단 접근이나 비인가 정보 취급의 징후일 수 있으며, 보안 위협으로 간주될 수 있습니다.

왜 이것이 중요한가

자격증명 남용 또는 잠재적인 내부자 위협을 조사하는 보안 팀은 종종 how 탐지 규칙이 실제로 작동하는 방식을 설명하는 데 어려움을 겪습니다. Uncoder AI를 사용하면 그런 추측이 사라집니다.

결과는?

분석가의 빠른 숙련도 향상
깨끗한 탐지 문서화
더 자신감 있는 사건 분류와 처리

당신이 위협 사냥을 하거나 준수 여부를 검증할 때, 누가 password.xls 를 열었는지를 이해하는 것은 explorer.exe 메모드를 통해서 조사 성공의 열쇠가 될 수 있습니다.

쿼리에서 명확성으로, 매끄럽게

구글 SecOps는 강력한 탐지 역량을 제공하며, Uncoder AI의 AI 생성 의사 결정 트리이러한 역량은 투명하고 전수 가능하며 어느 SOC에서도 배포 가능합니다.

Uncoder AI 탐험하기

이 기사가 도움이 되었나요?

동료들과 좋아요를 누르고 공유하세요.

SOC Prime의 Detection as Code 플랫폼에 가입하세요 귀하의 비즈니스와 가장 관련 있는 위협에 대한 가시성을 향상시키세요. 시작하고 즉각적인 가치를 창출하기 위해 지금 SOC Prime 전문가와의 미팅을 예약하세요.

무료 가입하기 미팅 예약하기

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.