🔥 3-day streak
Professional Security Operations Engineer238 / 241
Question 238 of 241

A detection engineer writes a YARA-L single-event rule to catch successful interactive logons from a specific service account. The current rule triggers on every authentication event for that account, including failed attempts and non-interactive service-to-service tokens, producing excessive false positives. Which change to the events section most precisely narrows the rule to the intended activity while relying on normalized UDM enumeration fields rather than fragile string matching?

Reviewed for accuracy · Report an issueNext question