This detection rule identifies unauthorized changes to DNS records by comparing the current DNS response with historical records stored in a lookup table. It utilizes the `Network_Resolution` datamodel to analyze DNS messages marked as responses, filtering out any responses that are marked as 'unknown' or empty. The rule joins the data from the lookup of discovered DNS records to the real-time DNS responses, looking specifically for discrepancies between the previous state of the DNS record and its current state. If a DNS answer found in the lookup table does not match any current DNS answers, it indicates a potential DNS hijack or unauthorized modification. Additionally, there is an integration available with Splunk>Phantom which can enrich the findings by leveraging external threat intelligence sources to verify the legitimacy of the changes. The user is cautioned about potential legitimate DNS changes that might result in false positives, and the implementation requires proper data model population and configured lookup tables.