🔥 3-day streak
Professional Security Operations Engineer237 / 241
Question 237 of 241
You are writing a YARA-L single-event rule to detect execution of any of roughly 40 known LOLBin process names (e.g., certutil.exe, mshta.exe, regsvr32.exe) derived from a threat intel report. During review, a colleague notes that chaining 40 separate `or` equality comparisons in the condition is hard to maintain and error-prone as the intel list grows. Which approach best expresses this match while keeping the rule maintainable and performant in Google SecOps?
Reviewed for accuracy · Report an issueNext question