🔥 3-day streak
Professional Security Operations Engineer241 / 241
Question 241 of 241
A detection engineer deployed a YARA-L single-event rule that alerts on any PowerShell execution containing '-enc'. SOC analysts report that roughly 90% of the alerts are legitimate administrative automation from three known jump-host service accounts, but leadership refuses to fully suppress the rule because the same pattern is occasionally abused. The engineer wants to keep visibility on all matches while ensuring analysts only actively triage the anomalous ones. Which approach best accomplishes this within a single YARA-L rule?
Reviewed for accuracy · Report an issue