🔥 3-day streak
Professional Security Operations Engineer191 / 241
Question 191 of 241
A threat hunter at a financial services firm hypothesizes that a compromised workstation may be beaconing to an attacker-controlled server. They want to build a YARA-L retrohunt rule in Google SecOps that surfaces outbound network connections to external destination IP addresses that have NOT been observed anywhere in the environment during the prior 30 days, so that only genuinely new destinations are flagged. Which approach best satisfies this requirement?
Reviewed for accuracy · Report an issueNext question