The rule "DNS request to denylisted domain" is designed to monitor DNS requests to domains that are specifically placed on a denylist due to their association with malicious activities, primarily in phishing attacks. When the rule is triggered, it records a DNS request to a denylisted domain, which indicates potential initial access attempts by an attacker to exploit users or systems via known malicious domains. The severity of this rule is classified as critical because successful interactions with these domains can lead to harmful activities such as data breaches or malware infections. Four tests are specified to validate the detection of denylisted and non-denylisted domains under both DNS request and FDREvent logs. Any DNS request to a denylisted domain generated the expected result of true while requests to non-denylisted domains yielded a false result. This ensures precise detection capabilities for real threats while minimizing false positives.