🔥 3-day streak
Professional Security Operations Engineer225 / 241
Question 225 of 241
A detection engineer writes a YARA-L multi-event rule to detect credential dumping followed by lateral movement. The rule joins a process-launch event (LSASS access) with a subsequent remote authentication event on the same host, using a `match` window of 5 minutes. During validation against a known incident replay, the rule fails to fire even though both events are present in the data. Analysis of the incident shows the attacker accessed LSASS, then waited roughly 45 minutes before authenticating to a remote host. What is the MOST appropriate fix while keeping false positives controlled?
Reviewed for accuracy · Report an issueNext question