Full Report
How It Works This Uncoder AI feature enables instant creation of detection queries for VMware Carbon Black Cloud using structured threat intelligence, such as that from CERT-UA#12463. In this case, Uncoder AI processes indicators associated with UAC-0099 activity and formats them into a syntactically correct domain query. Parsed Threat Data The source threat report includes […] The post AI-Assisted Domain Detection Logic for Carbon Black in Uncoder AI appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: AI-Assisted Domain Detection Logic for Carbon Black in Uncoder AI
## Overview
This describes a capability within the SOC Prime Uncoder AI platform that leverages Artificial Intelligence to generate or refine detection logic specifically formatted for Carbon Black, focusing on detecting connections to known attacker domains associated with threat actors like UAC-0099. The primary purpose is to enhance threat detection and threat hunting efficiency.
## Technical Details
- Type: Tool Feature/Detection Logic Generation
- Platform: Carbon Black (as the target SIEM/EDR platform for the generated query)
- Capabilities: AI-driven query generation/validation, reduction of analyst errors, proactive threat hunting for phishing/malware domains, query formatting consistency.
- First Seen: Date not explicitly provided, but associated with a blog post dated June 05, 2025.
## MITRE ATT&CK Mapping
*Note: Since the article describes *generating* a detection for attacker domains, the mapping is inferred for the intended detection coverage.*
- [T1566 - Phishing]
- [T1566.001 - Spearphishing Attachment] (Covered if the domains relate to payload hosting)
- [T1566.002 - Spearphishing Link] (Directly relevant to domain detection)
- [T1071 - Application Layer Protocol]
- [T1071.001 - Web Protocols] (For HTTP/S connections to malicious domains)
## Functionality
### Core Capabilities
- Generating detection queries tailored for the Carbon Black query language/schema.
- Enabling proactive threat hunting for domains linked to malicious activity (e.g., those associated with UAC-0099).
- Improving the consistency of query formatting across security teams.
### Advanced Features
- AI validation of syntax, logic, and schema alignment within the generated detection queries, reducing manual error rates.
## Indicators of Compromise
- File Hashes: N/A (Focus is on detection logic, not specific malware artifacts)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Focuses on detecting connections to **known attacker domains** tied to UAC-0099 (Specific domains were not listed but are the target artifact).
- Behavioral Indicators: Detecting network connections/traffic pointing toward these specific domains.
## Associated Threat Actors
- UAC-0099 (Mentioned as an actor whose associated domains the logic targets)
## Detection Methods
- Signature-based detection: The output is a high-fidelity query/signature for Carbon Black.
- Behavioral detection: The queries likely target network connections outbound to suspicious domains.
- YARA rules: Not applicable; detection is focused on the Carbon Black query language.
## Mitigation Strategies
- Enforcement actions based on alerts generated by the detection logic.
- Further investigation following alerts related to connections to known attacker domains.
## Related Tools/Techniques
- Uncoder AI (The platform utilizing the AI assistance)
- Carbon Black (The Endpoint Detection and Response platform where the logic is deployed)
- Detection Engineering based on CTI (Threat Intelligence Inputs)