This detection rule identifies DNS queries that exhibit unusually large lengths by utilizing statistical analysis of query lengths within the Network_Resolution data model. It computes the average and standard deviation of DNS query lengths and filters those queries that exceed twice the standard deviation from the mean. The significance of this analysis lies in the fact that unusually long DNS queries can be indicative of malicious activities such as data exfiltration or command-and-control (C2) communications. By focusing on query lengths, analysts can detect potential security incidents that involve stealthy data transfers or unauthorized communication channels maintained by attackers. The query leverages the Sysmon EventID 22 to gather relevant DNS query data, ensuring that the implementation aligns with the necessity of populating the Network_Resolution data model for accurate threat detection.