🔥 3-day streak
Professional Security Operations Engineer200 / 241
Question 200 of 241

A threat hunter suspects a data-staging operation is exfiltrating to hosts on unusual top-level domains (TLDs) such as .top, .xyz, and .zip. Rather than hardcode a specific list of suspicious TLDs, the hunter wants a YARA-L 2.0 detection that surfaces outbound DNS resolutions to any TLD that is rare across the enterprise over a rolling baseline, so novel TLDs are caught automatically. Which approach best satisfies this hunting goal in Google SecOps?

Reviewed for accuracy · Report an issueNext question