This detection rule monitors the excessive usage of the nslookup application, which is a command-line tool for querying DNS to obtain domain name or IP address mapping. Utilizing Sysmon's Event Code 1, the rule tracks the execution frequency of nslookup.exe across endpoints. By establishing a dynamic threshold based on statistical methods (average and standard deviation), it identifies outlier behavior that may signify DNS exfiltration attempts, typical of sophisticated malware and advanced persistent threats (APTs). Such activities can lead to stealthy data transfers through DNS queries, circumventing traditional data loss prevention mechanisms. The approach highlights potential malicious behavior if the observed spikes in nslookup executions exceed a specified threshold, warranting further investigation and response.