This detection rule identifies internal hosts making DNS queries to dynamic domain providers, which can indicate potentially malicious activities. It operates by utilizing DNS query logs from the Network_Resolution data model and comparing these logs against a lookup file containing known dynamic DNS providers. Such DNS queries are significant in a security context, as attackers frequently exploit dynamic DNS services to manage malware command-and-control infrastructures. By monitoring these activities, security teams can counteract attempts by malicious actors to evade detection or bypass restrictions imposed by traditional firewall mechanisms, thereby maintaining persistent footholds within the network. Implementation involves ensuring that DNS operation logs are ingested correctly so that they populate the necessary data model, and continuously updating the lookup file to include new dynamic DNS entries.