How It Works This feature in Uncoder AI translates complex threat intelligence into structured CrowdStrike CSQL (CrowdStrike Search Query Language), enabling instant use within Falcon Endpoint Search. In this example, indicators from CERT-UA#13738 describe a Gamaredon (UAC-0173 / LITENKODER) campaign leveraging ZIP files and cloud-hosted payloads. Uncoder AI processes the report and outputs a valid, […]
How It Works This Uncoder AI feature showcases its ability to analyze and validate Chronicle UDM queries involving multiple domain-based conditions. In this example, Uncoder AI processes a threat-hunting query associated with Sandworm (UAC-0133) activity, which targets a set of .sh and .so domains. The platform automatically identifies that the detection logic uses a field-level […]
How It Works This Uncoder AI feature enables instant creation of detection queries for VMware Carbon Black Cloud using structured threat intelligence, such as that from CERT-UA#12463. In this case, Uncoder AI processes indicators associated with UAC-0099 activity and formats them into a syntactically correct domain query. Parsed Threat Data The source threat report includes […]
How It Works This feature in Uncoder AI demonstrates how to validate and optimize URL-based detection logic for Microsoft Defender for Endpoint, using Kusto Query Language (KQL). In the example shown, the input consists of remote access indicators from CERT-UA#11689 (WRECKSTEEL), which include phishing domains and command-and-control endpoints. Detection Pattern: The KQL query performs the […]
How It Works This feature of Uncoder AI transforms structured threat intel into Microsoft Defender for Endpoint-compatible KQL detection rules. In this case, it ingests IOCs from CERT-UA#11689, focusing on a known APT28 tradecraft: clipboard-based PowerShell payloads fetching staging scripts from malicious domains. IOC Extraction from Reported Behavior The left panel shows observables extracted from […]
How It Works This Uncoder AI feature generates a broad-spectrum KQL detection query for Microsoft Sentinel, based on indicators from CERT-UA#14045 (DarkCrystal RAT). The AI processes a threat report and outputs a query to search logs for strings such as: “Розпорядження.zip” – a suspicious Ukrainian-language file name used to disguise malware “imgurl.ir” – a known […]
How It Works This Uncoder AI feature analyzes a complex CERT-UA#1170 threat report describing the LITERNAMAGER malware family and generates a Cortex XSIAM-compatible XQL rule. The AI extracts structured indicators and behaviors, then maps them to different Cortex datasets: 1. Process & Command Line Activity The rule detects suspicious command-line execution of: YOURClient.exe YOURServer.exe including […]
How It Works This feature in Uncoder AI ingests structured IOCs from threat reports — in this case, dozens of malicious domains tied to credential phishing (e.g., fake Google, Microsoft, and Telegram login portals). The tool processes and structures the data to automatically output a Splunk-compatible detection query. Domain-Based Filtering with dest_host The output query […]
How It Works 1. IOC Extraction Uncoder AI scans the threat report (left panel) and identifies malicious network infrastructure associated with: HATVIBE and CHERRYSYSPY loaders Suspicious communication and command-and-control domains like: trust-certificate.net namecheap.com enrollmenttdm.com n247.com mtw.ru Explore Uncoder AI These domains are associated with: Fake certificate lures Python-based loaders Malicious HTA stagers Credential theft via […]
How It Works Uncoder AI processes threat reports like CERT-UA#14045 on DarkCrystal RAT and generates Carbon Black-compatible detection logic. This feature maps observed file hashes, execution patterns, and C2 infrastructure into a rule that’s ready to deploy within Carbon Black’s behavioral telemetry stack. On the left, the threat report details the DarkCrystal campaign, including: Malicious […]