This analytic rule is designed to detect anomalies in DNS query lengths using a machine learning model applied to the Network_Resolution data model. It specifically focuses on identifying DNS requests that exhibit unusually large query lengths for the given record type. The significance of these large query lengths lies in their potential implication as indicators of malicious activities such as data exfiltration or command-and-control operations. Successfully running this detection requires prior execution of a base support search that builds a historical ML model for DNS query lengths, ensuring that data from your environment is accurately reflected in the analysis. As part of its operation, it generates fields that track the specifics of DNS queries, their lengths, and the count of occurrences, which can provide crucial context but are not directly visible in incident reviews by default.