🔥 3-day streak
Professional Security Operations Engineer176 / 241
Question 176 of 241

A threat hunter at a fintech company received GTI intelligence indicating a campaign that dropped a malicious loader across victim networks between 02:00 and 04:00 UTC over the past week, but the reporting is retrospective — the IOCs were only published today. The hunter wants to write a YARA-L retrohunt rule that surfaces process-execution events matching the loader's SHA-256 hash within that specific two-hour daily window across the past 7 days. When constructing the rule to filter on the time-of-day window, which UDM timestamp field should the hunter reference to ensure matches reflect when the activity actually occurred on the endpoints, not when logs arrived in SecOps?

Reviewed for accuracy · Report an issueNext question