This analytic detection rule identifies potential DNS data exfiltration activities by leveraging a pretrained deep learning model within the Splunk environment. The rule utilizes DNS request data extracted from the Network Resolution data model. It analyzes historical events associated with the same source and DNS domain, calculating significant features that inform the model’s predictions. The model then generates a probability score (pred_is_exfiltration_proba), which indicates the likelihood of malicious DNS exfiltration based on observed patterns. Given that DNS tunneling can be exploited by threat actors to covertly transmit sensitive information, the identification of such activities is critical for maintaining robust organizational security. A score higher than 0.5 is used as a threshold to flag high-risk exfiltration attempts, warranting further investigation to avert unauthorized data access and breaches.