SecOps alerts indicate repeated PowerShell activity and outbound connections to a domain not in your threat feeds across multiple systems and users. You need to search across impacted systems and identities to identify the malicious user and scope. What should you do?

The main idea is cross-system correlation using a rule-based search that spans endpoints and identities. YARA-L 2.0 is designed to apply a common set of indicators of compromise across all telemetry, so you can quickly bring together evidence from multiple hosts and users to identify who is acting and how far the activity extends. By crafting YARA-L 2.0 rules that capture the observed patterns—PowerShell executions, specific outbound connections to the unfamiliar domain, and the associated user and host context—you can search across impacted systems in one pass. This lets you see exactly which users and machines participated, when each action occurred, and how the activity ties together across the environment. The result is a coherent picture of the malicious actor and the full scope, without laborious, piecemeal manual pivots. Raw log searches and manual pivots would require stitching together disparate logs from each system, which is time-consuming and prone to missing connections between events. A sign-in overview focuses on authentication events and trends, not the endpoint activity and cross-host linkage you need here. Behavioral analytics dashboards can flag anomalies, but they may not provide the direct, rule-based cross-context correlation across all impacted identities and machines that YARA-L 2.0 enables.