🔥 3-day streak
Professional Security Operations Engineer185 / 241
Question 185 of 241

During a hypothesis-driven hunt, your team suspects that a threat actor is rotating C2 infrastructure but reusing the same TLS server stack, which produces a consistent JARM fingerprint. Your GTI research surfaced a specific JARM hash associated with a known Cobalt Strike listener profile. You want to write a YARA-L rule over Google SecOps network telemetry that surfaces any internal host establishing an outbound TLS session whose server JARM fingerprint matches the GTI-provided value, but only when the destination is NOT already on your approved-vendors reference list. Which approach best implements this hunt while keeping it maintainable as GTI updates the indicator set?

Reviewed for accuracy · Report an issueNext question