You identified a new malicious IP address used by a threat actor. You need to search for this IP in SecOps across all normalized logs to determine malicious activity. Which method is most effective?

The idea is to search across all normalized data efficiently using the unified data model and a rule language that can span multiple sources. Writing UDM searches that use YARA-L 2.0 syntax lets you query the standardized fields across every log type that’s normalized in SecOps, so you can find instances of the IP anywhere in the dataset with a single, scalable query. This approach leverages the consistent schema of the data and the pattern-matching power of YARA-L to surface malicious activity across all logs, rather than relying on source-specific searches or isolated rules. Using a YARA-L rule alone would target detection behavior in a more limited context, raw log searches are tedious and error-prone across diverse log formats, and reviewing Alerts & IOCs only surfaces already flagged items instead of proactively scanning all data.