Full Report
How It Works This feature in Uncoder AI ingests structured IOCs from threat reports — in this case, dozens of malicious domains tied to credential phishing (e.g., fake Google, Microsoft, and Telegram login portals). The tool processes and structures the data to automatically output a Splunk-compatible detection query. Domain-Based Filtering with dest_host The output query […] The post Instant Domain Matching Logic for Splunk via Uncoder AI appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: Instant Domain Matching Logic for Splunk via Uncoder AI
## Overview
This describes a capability leveraging **Uncoder AI** to instantly convert extracted domain Indicators of Compromise (IOCs) from threat reports into optimized Splunk queries for threat hunting across logs (web proxy, DNS, firewall).
## Technical Details
- Type: Tool (Uncoder AI functionality)
- Platform: Splunk Log Analysis Environment (Requires integration with Uncoder AI)
- Capabilities: NLP-based IOC extraction, automatic query formatting, deduplication, and mapping of domains to Splunk fields (e.g., `dest_host`).
- First Seen: June 04, 2025 (Date of associated article)
## MITRE ATT&CK Mapping
*This functionality primarily supports defensive actions rather than mapping a specific offensive technique, but its use case relates to analysis and detection.*
- T1087 - Account Discovery (If used to hunt for C2 callback artifacts)
- T1071 - Application Layer Protocol (If domains are C2 infrastructure)
## Functionality
### Core Capabilities
- **Extraction of domain IOCs** from unstructured threat intelligence reports.
- **Syntax formatting for Splunk queries**, ensuring compatibility with Splunk’s search language.
- **Deduplication and wildcard management** of extracted domains.
- Uses Natural Language Processing (NLP) to identify only **resolvable and valid Fully Qualified Domain Names (FQDNs)**.
### Advanced Features
- Directly maps extracted FQDNs to target detection logic fields, such as `dest_host`, for immediate query execution.
- Generates queries optimized for field compatibility in Splunk.
- Allows security analysts to quickly generate queries covering dozens of phishing domains in seconds.
## Indicators of Compromise
- File Hashes: N/A (Focus is on processing text IOCs)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Domains extracted from unstructured text (e.g., `telegram-account[.]site`, `cloudviewer[.]world` shown as examples of input complexity). The output IOCs are *generated* based on input, not inherent to the tool itself.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Not directly associated with a specific threat actor; it is a defensive tool designed to speed up the analysis of IOCs related to any threat actor.
## Detection Methods
- Detection is centered on the *output* of the tool (the Splunk query), which detects associated network activity (beaconing, connection attempts) on SIEM/log platforms.
- **Behavioral detection**: Uncovering previously unseen beaconing attempts or user clicks on spoofed portals by executing the generated queries against web proxy, DNS, or firewall logs.
## Mitigation Strategies
- **Speed & Accuracy**: Rapidly generating threat hunting queries minimizes the dwell time of threats using newly identified C2 domains.
- **Proactive Hunting**: Immediately applying generated filters to DNS, firewall, and web proxy logs.
- **Integration**: Integrating the output into scheduled detection pipelines for continuous monitoring.
## Related Tools/Techniques
- Uncoder AI
- Splunk (Target analysis platform)
- Threat Intelligence Platform (TIPs) (Source of unstructured IOC data)