I found a rule for impossible travel activity with clear understating, but i am facing difficulty for add exceptions into it like when an event matches any of the following.
- Azure India and UK exception
- Azure UK and India exception.
Page 1 / 1
Hi @satya_saketh, in this scenario have you tried approaching this with the use of a reference list?
For instance, your YARA-L rule can still continue matching as it currently is, but you could add an extra condition statement that checks whether the country isn't part of an existing reference list:
condition:
not $country in %allowed_countries
Let's say you're pulling out the country earlier in the YARA-L rule, this logic will effectively negate the match if the reference list contains the country in question.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.