🔥 3-day streak
Professional Security Operations Engineer226 / 241
Question 226 of 241

A detection engineer wrote a YARA-L multi-event rule to detect brute-force authentication: it groups failed logins by target user and source IP, and fires when at least 10 failed events occur. Analysts report the rule generates excessive noise because it counts failures spread across an entire day, including unrelated typo-based failures for shared service accounts. The engineer must reduce false positives while preserving detection of genuine rapid brute-force bursts. Which change to the rule is the MOST appropriate?

Reviewed for accuracy · Report an issueNext question