🔥 3-day streak
Professional Security Operations Engineer150 / 241
Question 150 of 241

A detection engineer wrote a YARA-L single-event rule that fires on any authenticated SSH login from an external IP to production hosts. The rule generates hundreds of alerts daily, and analysts confirm the overwhelming majority originate from a known, authorized third-party vulnerability scanning service whose source IPs change weekly but always resolve within a documented ASN. Which tuning approach best reduces false positives while preserving detection of genuinely anomalous external SSH logins?

Reviewed for accuracy · Report an issueNext question