🔥 3-day streak
Professional Security Operations Engineer240 / 241
Question 240 of 241
A detection engineer deployed a YARA-L single-event rule that flags PowerShell execution with the '-ExecutionPolicy Bypass' flag. The rule is generating hundreds of alerts per day, nearly all from a known set of three IT automation service accounts running legitimate deployment scripts. The engineer must reduce false positives without losing visibility into the same behavior when performed by any other account, and wants a solution that is easy to maintain as the automation account list changes. Which approach is the MOST appropriate?
Reviewed for accuracy · Report an issueNext question