🔥 3-day streak
Professional Security Operations Engineer221 / 241
Question 221 of 241
A detection engineer writes a YARA-L multi-event rule to detect brute-force authentication by correlating failed logins from a single source IP against multiple usernames. During testing, the rule fires a separate detection for every additional failed login beyond the threshold within the same match window, flooding the SOAR queue with near-duplicate alerts for the same attack episode. The engineer wants exactly one detection per source IP per match window while preserving the multi-username correlation logic. Which change best achieves this?
Reviewed for accuracy · Report an issueNext question