🔥 3-day streak
Professional Security Operations Engineer201 / 241
Question 201 of 241
During a hypothesis-driven hunt, a SecOps threat hunter suspects a custom C2 implant is beaconing over HTTPS using a hardcoded, non-standard User-Agent string. The hunter wants to write a YARA-L 2.0 rule that surfaces HTTP requests whose User-Agent value appears on only a handful of hosts across the enterprise over a 7-day window, rather than matching a specific known-bad string. Which approach best supports this low-prevalence hunting goal?
Reviewed for accuracy · Report an issueNext question