🔥 3-day streak
Professional Security Operations Engineer222 / 241
Question 222 of 241

A detection engineer is writing a YARA-L multi-event rule to detect a slow credential-stuffing campaign in which an attacker attempts logins against many accounts from a single source IP over roughly 20 hours. The engineer groups events by principal.ip, counts distinct target.user values, and sets a threshold. During testing over historical data, the rule never fires even though the analyst confirms the activity clearly occurred across an 18-20 hour span. What is the MOST likely cause, and what should the engineer do?

Reviewed for accuracy · Report an issueNext question