Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:

The core of this problem is the unreliable data quality for the file hash. A robust detection strategy cannot depend on an unreliable data point. Options B and C are weak because they create a dependency on the SHA256 hash, which the prompt states is "not reliably captured." This would lead to missed detections. Option A is far too broad and would generate massive noise.

The best detection engineering practice is to use the reliable IoCs in a flexible and high-performance manner. The domain is a reliable IoC (from DNS logs), and the hash is still a valuable IoC, even if it's only intermittently available.

The standard Google SecOps method for this is to create a List (referred to here as a "data table") containing both static IoCs: the hash and the domain. An engineer can then write a single, efficient YARA-L rule that references this list. This rule would trigger if either a PROCESS_LAUNCH event is seen with a hash in the list or a NETWORK_DNS event is seen with a domain in the list (e.g., (event.principal.process.file.sha256 in %ioc_list) or (event.network.dns.question.name in %ioc_list)). This creates a resilient detection mechanism that provides two opportunities to identify the threat, successfully working around the unreliable data problem.

(Reference: Google Cloud documentation, "YARA-L 2.0 language syntax"; "Using Lists in rules"; "Detection engineering overview")