🔥 3-day streak
Professional Security Operations Engineer223 / 241
Question 223 of 241
A detection engineer is building a YARA-L multi-event rule to detect a credential-dumping-then-lateral-movement pattern: an LSASS access event on a host followed by an outbound SMB connection from the same host to an internal admin share. The initial rule joins both events on principal.hostname and fires whenever both event types appear within the 1-hour match window, but the SOC reports it also fires when the SMB connection precedes the LSASS access (normal admin behavior). Which change to the rule most precisely enforces the intended attack sequence while keeping the multi-event correlation?
Reviewed for accuracy · Report an issueNext question