🔥 3-day streak
Professional Security Operations Engineer146 / 241
Question 146 of 241
A threat hunter in Google SecOps wants to identify PowerShell child processes that have executed across only one or two hosts in the entire enterprise over the past 90 days, as a way to surface anomalous, low-prevalence activity. They write a UDM search filtering on target.process.file.full_path matching powershell.exe and group results, but the query returns hundreds of hosts and no useful low-prevalence signal. What is the MOST likely reason the hunt failed to surface rare activity, and how should it be corrected?
Reviewed for accuracy · Report an issueNext question