🔥 3-day streak
Professional Security Operations Engineer207 / 241
Question 207 of 241
A detection engineer is building a YARA-L multi-event rule to detect password-spraying against a corporate SSO endpoint. The goal is to alert when a single source IP generates failed authentication events against at least 10 distinct user accounts within a 15-minute window. Early tests fire alerts even when one IP fails repeatedly against the same 2 or 3 accounts (a locked-out user retrying). Which condition construct correctly enforces the intended detection logic?
Reviewed for accuracy · Report an issueNext question