🔥 3-day streak
Professional Security Operations Engineer166 / 241
Question 166 of 241
A threat hunter forms a hypothesis that an adversary is using DNS TXT record queries for low-and-slow data exfiltration through a single internal host. The hunter wants a YARA-L 2.0 rule that surfaces hosts generating an anomalously high volume of DNS queries with long, high-entropy subdomain labels to a small set of second-level domains within a short window. Which approach best operationalizes this hypothesis in Google SecOps?
Reviewed for accuracy · Report an issueNext question