🔥 3-day streak
Professional Security Operations Engineer184 / 241
Question 184 of 241

A threat hunter suspects a data exfiltration campaign in which a compromised internal host uploads large volumes of data through HTTP POST requests to a low-reputation external destination. She wants a YARA-L 2.0 rule that surfaces hosts whose cumulative outbound HTTP POST payload size to a single destination is abnormally large within a short window, while suppressing normal high-volume application traffic. Which rule design approach best supports this hypothesis-driven hunt?

Reviewed for accuracy · Report an issueNext question