Detection Content Generation and Improvement

Uncoder AI supports various tasks related to AI and non-AI detection content generation, summarization, and analysis.

Behavior Rule/Query Generation with AI and Custom Prompt AI Tasks

You can generate detection rules and queries for the following platforms:

Anomali Security Analytics
Apache Kafka ksqlDB
ArcSight
AWS Athena
AWS OpenSearch
Crowdstrike Endpoint Security
CSharp Regex
Datadog
Devo
DNIF
ElastAlert
Elastic Stack
Falco
Falcon LogScale
FireEye
FortiSIEM
Google SecOps
Graylog
HawkSearch
Hunters
IBM QRadar
Lacework
LimaCharlie
Logiq
Logpoint
LogRhythm
Microsoft Defender for Endpoint
Microsoft Sentinel
NVISO EE-Outliers
Palo Alto Cortex XDR
Palo Alto Cortex XSIAM
PowerShell
Qualys
Regex Grep
Roota
RSA NetWitness
Securonix
SentinelOne
Snowflake
Splunk
SQL
SQLite
STIX
StreamAlert
Sumo Logic
Sysmon
UberAgent ESA
VMware Carbon Black
Logsign Unified SecOps
Suricata
Tanium
Sophos EDR
Logz.io
Trend Micro XDR
Exabeam

IOC Query Generation

You can generate IOC queries for the following platforms:

ArcSight
AWS OpenSearch
Crowdstrike Endpoint Security
Elastic Stack
Falcon LogScale
FireEye
Google SecOps
Graylog
IBM QRadar
Logpoint
Microsoft Defender for Endpoint
Microsoft Sentinel
Qualys
RSA NetWitness
Securonix
SentinelOne
Snowflake
Splunk
Sumo Logic
VMware Carbon Black
Anomali
Apache Kafka ksqlDB
AWS Athena
Datadog
Devo
DNIF
Hunters
Sigma
SQL
SQLite
STIX

Short Summary, Full Summary, Decision Tree, and Query Optimization

You can generate short summaries, full summaries, and decision trees for the following platforms:

Anomali Security Analytics
Apache Kafka ksqlDB
ArcSight
AWS Athena
AWS OpenSearch
Crowdstrike Endpoint Security
CSharp Regex
Datadog
Devo
DNIF
ElastAlert
Elastic Stack
Falco
Falcon LogScale
FireEye
FortiSIEM
Google SecOps
Graylog
HawkSearch
Hunters
IBM QRadar
Lacework
LimaCharlie
Logiq
Logpoint
LogRhythm
Microsoft Defender for Endpoint
Microsoft Sentinel
NVISO EE-Outliers
Palo Alto Cortex XDR
Palo Alto Cortex XSIAM
PowerShell
Qualys
Regex Grep
Roota
RSA NetWitness
Securonix
SentinelOne
Snowflake
Splunk
SQL
SQLite
STIX
StreamAlert
Sumo Logic
Sysmon
UberAgent ESA
VMware Carbon Black

Note: Short summaries and full summaries can also be generated for texts in human language.

Validation

You can validate the syntax and structure for the following platforms:

Anomali Security Analytics
Apache Kafka ksqlDB
ArcSight
AWS Athena
AWS OpenSearch
Crowdstrike Endpoint Security
CSharp Regex
Datadog
Devo
DNIF
ElastAlert
Elastic Stack
Falco
Falcon LogScale
FireEye
FortiSIEM
Google SecOps
Graylog
HawkSearch
Hunters
IBM QRadar
Lacework
LimaCharlie
Logiq
Logpoint
LogRhythm
Microsoft Defender for Endpoint
Microsoft Sentinel
NVISO EE-Outliers
Palo Alto Cortex XDR
Palo Alto Cortex XSIAM
PowerShell
Qualys
Regex Grep
Roota
RSA NetWitness
Securonix
SentinelOne
Snowflake
Splunk
SQL
SQLite
STIX
StreamAlert
Sumo Logic
Sysmon
UberAgent ESA
VMware Carbon Black
Onum
Logsign Unified SecOps
Suricata
Tanium
Sophos EDR
Logz.io
Trend Micro XDR
Exabeam

Result Aggregation

You can aggregate query results for the following platforms:

IBM QRadar
Anomali
Athena
Elastic (EQL)
Falcon LogScale
Microsoft Defender for Endpoint
Microsoft Sentinel
Splunk
Sumo Logic

Detection Content Translation

Uncoder AI supports translations of several types:

Cross-platform translation (platform-native language to platform-native language)
Translation from a platform-agnostic language to a platform-specific one:
- Sigma to platform-native language
- Roota to platform-native language
Translation between different formats of the same platform
Remapping to OCSF

Cross-platform translation

The scope of support for each language is as follows:

Platform	Source	Target
Anomali Security Analytics Query with Default data schema	–	Basic detection logic
AWS Athena: Query with OCSF data schema	Basic detection logic	Basic detection logic
AWS OpenSearch: Query (Lucene) with ECS data schema	Basic detection logic	Basic detection logic
AWS OpenSearch: Rule (JSON) with ECS data schema	–	Basic detection logic
CrowdStrike Endpoint Security: Query (SPL) with Default data schema	Basic detection logic	Basic detection logic
ElastAlert: Alert (Lucene) with ECS data schema	–	Basic detection logic
Elastic Stack: Query (Lucene) with ECS data schema Detection Rule (Lucene) with ECS data schema Query (EQL) with ECS data schema	Basic detection logic	Basic detection logic
Elastic Stack: Detection Rule (TOML) with ECS data schema	Basic detection logic	–
Elastic Stack: Rule (Watcher) with ECS data schema Kibana SavedSearch (JSON) with ECS data schema	–	Basic detection logic
Falcon LogScale: Query with Default data schema Alert with Default data schema	Basic detection logic + Functions: search sort groupBy stats table avg min max count sum	Basic detection logic + Functions: search sort groupBy stats table avg min max count sum
FortiSIEM Rule with Default data schema	–	Basic detection logic
Google SecOps: Query (UDM) with UDM data schema Rule (YARA-L) with UDM data schema	Basic detection logic	Basic detection logic
Graylog: Query with Default data schema	–	Basic detection logic
Hunters: Query with Default data schema	–	Basic detection logic
IBM QRadar: Query (AQL) with LEEF data schema	Basic detection logic + Functions: AVG COUNT MIN MAX SUM aggregation_data_function DISTINCTCOUNT GROUP BY LAST SELECT LIMIT ORDER BY LOWER UPPER	Basic detection logic
IBM QRadar: Rule (XML) with Default data schema	Basic detection logic + Functions: AVG COUNT MIN MAX SUM aggregation_data_function DISTINCTCOUNT GROUP BY LAST SELECT LIMIT ORDER BY LOWER UPPER	–
LogRhythm: Axon query with Default data schema Axon rule with Default data schema	–	Basic detection logic
Microsoft Defender for Endpoint: Query (Kusto) with Default data schema	Basic detection logic	Basic detection logic
Microsoft Sentinel: Query (Kusto) with Default data schema Rule (Kusto) with Default data schema	Basic detection logic + Functions: project search sort avg count min max sum	Basic detection logic + Functions: avg count count_distinct min max sum distinct extend project-rename project sort summarize top where
Microsoft Sentinel: Rule (YML) with Default data schema	Basic detection logic	–
Palo Alto Cortex XDR Query with Default data schema	–	Basic detection logic + Functions: avg count count_distinct min max sum values alter array_length bin comp fields filter incidr join divide multiply sort split lowercase uppercase extract_time timeframe timestamp_diff union iploc
Palo Alto Cortex XSIAM Query (XQL) with Default data schema	–	Basic detection logic + Functions: avg count count_distinct min max sum values alter array_length bin comp fields filter incidr join divide multiply sort split lowercase uppercase extract_time timeframe timestamp_diff union iploc
SentinelOne PowerQuery with Default data schema	–	Basic detection logic
Splunk: Query (SPL) with Default data schema Alert (SPL) with Default data schema	Basic detection logic (expressions and operators) + Functions: avg count distinct_count earliest eval fields latest max min rename search sort stats sum table values where agg time	Basic detection logic + Functions: avg count min max sum search sort stats table
Splunk: Alert (YML) with Default data schema	Basic detection logic	–
Sigma rule	N/A	Basic detection logic
VMware Carbon Black	Basic detection logic	Basic detection logic

Translation from Sigma to platform-native language

You can translate from Sigma to the following languages:

Platform	Format and Data Schema
Anomaly Security Analytics	Query: Default
Apache Kafka ksqlDB	Query (KSQL): Default
ArcSight	Query: CEF Rule: CEF
AWS Athena	Query (SQL): OCSF
AWS OpenSearch	Query (Lucene) ECS OCSF Rule (JSON): ECS OCSF ECS Case Sensitive CEF
VMware Carbon Black	Query (Cloud): Default Query (EDR): Default
Google SecOps	Query (UDM): UDM Rule (YARA-L): UDM
Coralogix	Query Default ECS Alert Default ECS
CrowdStrike Endpoint Security	Query (SPL): Default
CrowdStrike NextGen SIEM	Query: Default
CrowdStrike NextGen SIEM Falcon LogScale	Alert: Default CIM CrowdStrike Winlogbeat Zeek OCSF Query: Default CIM CrowdStrike Winlogbeat Zeek OCSF
Devo	Query: Default
ElastAlert	Alert (Lucene): ECS CEF ECS Case Sensitive Alert (DSL): ECS CEF ECS Case Sensitive
Elastic Stack	Detection Rule (EQL): ECS OCSF CEF ECS Case Sensitive Detection Rule (Lucene): ECS CEF OCSF Corelight ECS Case Sensitive Zeek ES\|QL Detection Rule: ECS ES\|QL Query ECS Kibana SavedSearch (JSON): ECS ECS Case Sensitive Corelight CEF Zeek Kibana SavedSearch (NDJSON): ECS ECS Case Sensitive CEF Query (DSL): ECS ECS Case Sensitive CEF OCSF Query (EQL): ECS ECS Case Sensitive CEF OCSF Query (Lucene): ECS ECS Case Sensitive CEF OCSF Corelight Zeek Rule (Watcher): ECS ECS Case Sensitive CEF Corelight Zeek
FireEye	Query: Default Rule (XML): Default
FortiSIEM	Rule: Default
Graylog	Query: Default
Hunters	Query: Default
LimaCharlie	Rule: Default
Logpoint	Query: Default
Microsoft Defender for Endpoint	Query (Kusto): Default
Microsoft Sentinel	Query (Kusto): Default MDE Rule (Kusto): Default MDE
PowerShell	Query: Default
IBM QRadar	Query (AQL): LEEF CEP Custom OCSF
Qualys	IOC Query: Default
Palo Alto Cortex XDR	Query: Default
Palo Alto Cortex XSIAM	Query (XQL): Default
Regex Grep	Query: Default
RSA NetWitness	Query: Default Query (EPL): Default
Roota	Rule: Default
Securonix	Query: Default
SentinelOne	PowerQuery: Default Query (Events): Default Query (Process State): Default
Snowflake	Query (SQL): Default OCSF
Splunk	Alert (SPL): Default OCSF Zeek Corelight Query (SPL): Default OCSF Zeek Corelight Query (XML): Default OCSF
Sumo Logic	Query (CSE): Default Rule (CSE): Default Query: Default OCSF
Sysmon	Config: Default
Trend Vision One	Query: Default
CSharp Regex	Query (LINQ): Default
Datadog	Query: Default
DNIF Query	Query: Default
HawkSearch	Query: Default
Lacework	Query: Default
Logiq	Rule: Default
LogRhythm	LR7 Query (Lucene): CEF ECS Case Sensitive Axon Query: Default Axon Rule: Default
NVISO EE-Outliers	Query: Default CEF ECS Case Sensitive
SQL	Query: Default
SQLite	Query: Default
STIX	Pattern: Default
StreamAlert	Alert: Default
UberAgent ESA	Query: Default

Translation from Roota to platform-native language

You can translate from Roota to the following languages:

Platform	Scope of support
Anomali Security Analytics Query with Default data schema	Basic detection logic
AWS Athena: Query with OCSF data schema	Basic detection logic
AWS OpenSearch: Query (Lucene) with ECS data schema	Basic detection logic
AWS OpenSearch: Rule (JSON) with ECS data schema	Basic detection logic
CrowdStrike Endpoint Security: Query (SPL) with Default data schema	Basic detection logic
ElastAlert: Alert (Lucene) with ECS data schema	Basic detection logic
Elastic Stack: Query (Lucene) with ECS data schema Detection Rule (Lucene) with ECS data schema Query (EQL) with ECS data schema	Basic detection logic
Elastic Stack: Rule (Watcher) with ECS data schema Kibana SavedSearch (JSON) with ECS data schema	Basic detection logic
Falcon LogScale: Query with Default data schema Alert with Default data schema	Basic detection logic + Functions: search sort groupBy stats table avg min max count sum
FortiSIEM Rule with Default data schema	Basic detection logic
Google SecOps: Query (UDM) with UDM data schema Rule (YARA-L) with UDM data schema	Basic detection logic
Graylog: Query with Default data schema	Basic detection logic
Hunters: Query with Default data schema	Basic detection logic
IBM QRadar: Query (AQL) with LEEF data schema	Basic detection logic
LogRhythm: Axon query with Default data schema Axon rule with Default data schema	Basic detection logic
Microsoft Defender for Endpoint: Query (Kusto) with Default data schema	Basic detection logic
Microsoft Sentinel: Query (Kusto) with Default data schema Rule (Kusto) with Default data schema	Basic detection logic + Functions: avg count count_distinct min max sum distinct extend project-rename project sort summarize top where
Palo Alto Cortex XDR Query with Default data schema	Basic detection logic + Functions: avg count count_distinct min max sum values alter array_length bin comp fields filter incidr join divide multiply sort split lowercase uppercase extract_time timeframe timestamp_diff union iploc
Palo Alto Cortex XSIAM Query (XQL) with Default data schema	Basic detection logic + Functions: avg count count_distinct min max sum values alter array_length bin comp fields filter incidr join divide multiply sort split lowercase uppercase extract_time timeframe timestamp_diff union iploc
SentinelOne PowerQuery with Default data schema	Basic detection logic
Splunk: Query (SPL) with Default data schema Alert (SPL) with Default data schema	Basic detection logic + Functions: avg count min max sum search sort stats table
Sigma rule	Basic detection logic

Translation between different formats of the same platform

Translating between different formats of the lame platform (does not require the reverse translations balance):

AWS OpenSearch:
- Query (Lucene) with ECS data schema → Rule (JSON) with ECS data schema
Google SecOps:
- Query (UDM) with UDM data schema ↔ Rule (YARA-L) with UDM data schema
Elastic Stack:
- Query (Lucene) with ECS data schema ↔ Detection Rule (Lucene) with ECS data schema
- Query (Lucene) with ECS data schema → Rule (Watcher) with ECS data schema
- Query (Lucene) with ECS data schema → Kibana SavedSearch (JSON) with ECS data schema
- Detection Rule (Lucene) with ECS data schema → Rule (Watcher) with ECS data schema
- Detection Rule (Lucene) with ECS data schema → Kibana SavedSearch (JSON) with ECS data schema
- Detection Rule (TOML) with ECS data schema → Detection Rule (Lucene) with ECS data schema
- Detection Rule (TOML) with ECS data schema → Kibana SavedSearch (JSON) with ECS data schema
- Detection Rule (TOML) with ECS data schema → Query (EQL) with ECS data schema
- Detection Rule (TOML) with ECS data schema → Query (Lucene) with ECS data schema
- Detection Rule (TOML) with ECS data schema → Rule (Watcher) with ECS data schema
- Query (EQL) with ECS data schema ↔ Detection Rule (Lucene) with ECS data schema
- Query (EQL) with ECS data schema → Kibana SavedSearch (JSON) with ECS data schema
- Query (EQL) with ECS data schema ↔ Query (Lucene) with ECS data schema
- Query (EQL) with ECS data schema → Rule (Watcher) with ECS data schema
Falcon LogScale:
- Query with Default data schema ↔ Alert with Default data schema
Microsoft Sentinel:
- Query (Kusto) with Default data schema ↔ Rule (Kusto) with Default data schema
- Rule (YML) with Default data schema → Rule (Kusto) with Default data schema
- Rule (YML) with Default data schema → Query (Kusto) with Default data schema
Splunk:
- Query (SPL) with Default data schema ↔ Alert (SPL) with Default data schema
- Alert (YML) with Default data schema → Alert (SPL) with Default data schema
- Alert (YML) with Default data schema → Query (SPL) with Default data schema

Remapping to OCSF

The scope of supported formats is as follows:

AWS OpenSearch Query (Lucene): ECS to OCSF
AWS OpenSearch Rule (JSON): ECS to OCSF
Elastic Stack Detection Rule (Lucene): ECS to OCSF
Elastic Stack Query (Lucene): ECS to OCSF
Falcon LogScale Alert: Default to OCSF
Falcon LogScale Query: Default to OCSF
IBM QRadar Query (AQL): LEEF to OCSF
Snowflake Query (SQL): Default to OCSF
Splunk Alert (SPL): Default to OCSF
Splunk Query (SPL): Default to OCSF
Sumo Logic Query: Default to OCSF

Scope of Platform Support