🔥 3-day streak
Professional Security Operations Engineer149 / 241
Question 149 of 241
Your threat intel team publishes a weekly CSV that maps known malicious infrastructure to attributes: an IP address, the associated threat actor group, and a confidence tier (high/medium/low). You are writing a YARA-L single-event rule that must (a) match outbound connections to any listed IP and (b) populate the resulting detection's outcome with the specific threat actor name and confidence tier for that IP so analysts can triage without a separate lookup. Which SecOps construct should back this rule to satisfy both requirements most maintainably?
Reviewed for accuracy · Report an issueNext question