🔥 3-day streak
Professional Security Operations Engineer155 / 241
Question 155 of 241
A detection engineer at a financial services firm receives a threat intelligence report describing an adversary that abuses Windows Management Instrumentation (WMI) for lateral movement and executes payloads via WMI event subscriptions for persistence. She writes a YARA-L rule to detect the WMI event subscription behavior and wants to ensure the rule is discoverable and correctly attributed when the SOC later runs ATT&CK coverage reports in Google SecOps. According to detection engineering best practice, how should she populate the rule metadata?
Reviewed for accuracy · Report an issueNext question