For continuous DNS comparison to threat feeds, most effective approach?

• A. ETD custom modules in SCC correlating feeds with Cloud logs.
• B. Push endpoint logs to BigQuery; scripts compare entries to GTI API.
• C. Create a YARA-L rule in SecOps to track matches between ingested EDR logs and the entity graph.
• D. Create a YARA-L rule to track matches with VirusTotal table in entity graph.

Answer: (C)

Continuous DNS comparison to threat feeds is best achieved by using a rule-based correlation that runs where your data lives and ties the indicators to your assets. A YARA-L rule in SecOps can track matches between ingested EDR logs and the entity graph, so DNS events are evaluated in real time against known malicious indicators and linked directly to the relevant host, user, and process. This provides immediate, context-rich detections and scales with your environment, without relying on external API calls or separate pipelines that introduce latency or maintenance overhead. The entity graph gives the necessary context to understand the DNS activity in relation to the broader relationships across your environment, making detections actionable and quicker to respond to.