🔥 3-day streak
Professional Security Operations Engineer228 / 241
Question 228 of 241

A detection engineer wrote a single-event YARA-L rule to flag suspicious `certutil.exe` downloads by matching on `principal.process.command_line`. The rule fires reliably, but the SOC reports it produces intermittent false negatives: some malicious command lines that clearly contain the download flag are not being detected. Investigation shows the missed events used mixed-case flags like `-UrlCache` and `-URLcache`, while the rule uses `re.regex($e.principal.process.command_line, /-urlcache/)`. What is the most correct fix that addresses the root cause without broadening the rule unnecessarily?

Reviewed for accuracy · Report an issueNext question