This detection rule identifies requests made to randomly generated subdomains, which are often employed by threat actors for domain generation algorithms (DGA). The rule is primarily focused on requests that are deemed suspicious due to their random nature, which is a common characteristic of the command-and-control (C2) communication methods used by advanced persistent threat (APT) groups such as APT29 (Nobelium/Cozy Bear) and APT34 (OilRig). The detection logic leverages Splunk to filter out known sites, applying regex patterns to identify those that resemble typical DGA-generated domains. It employs statistical analysis to assess the frequency of trigram occurrences in the subdomain strings, comparing them against baseline values to identify anomalies. If a subdomain meets certain criteria, indicating that it is likely generated using DGA techniques (including having no more than 2.9 entropy), it would trigger an alert. Importance is placed on ensuring minimal false positives, thus it incorporates multiple layers of checks including the number of occurrences of detected domains and their trigram composition.