This detection rule identifies the presence of SIGRed, a critical DNS vulnerability (CVE-2020-1350), using data from Zeek DNS and Zeek Connection logs. It specifically monitors DNS queries for types SIG and KEY while assessing whether any flow exceeds 65KB of data transfer. SIGRed is a remote code execution vulnerability impacting Windows DNS Servers; its exploitation can lead to serious consequences including unauthorized access, data exfiltration, and network disruptions. Therefore, detecting such activities is critical to prevent potential security breaches. To implement this rule, ensure the ingestion of Zeek DNS and Conn logs in JSON format within a Splunk environment and utilize the specified data models for the search. Investigating any confirmed spikes in this data is essential for prompt remediation, including patching and server isolation if required.