🔥 3-day streak
Professional Security Operations Engineer164 / 241
Question 164 of 241
A detection engineer maintains a YARA-L single-event rule that flags any use of `certutil.exe` with a URL argument (a known LOLBin download technique). The rule is technically accurate but generates ~300 alerts per day because a legitimate internal patch-management tool uses certutil to fetch signed update manifests from a fixed internal server. The engineer must preserve detection of genuinely suspicious certutil downloads while eliminating the recurring benign noise, and wants the tuning to remain maintainable and self-documenting. Which approach best meets these goals?
Reviewed for accuracy · Report an issueNext question