This detection rule focuses on identifying suspicious DNS queries that are indicative of Cobalt Strike beacons, a tool frequently used in command and control (C2) operations by threat actors. The rule utilizes specific characteristics observed in malicious DNS requests tied to Cobalt Strike's functionality. It defines two selections; 'selection1' looks for DNS queries that start with certain prefixes commonly associated with the tool, while 'selection2' checks for queries containing a specific pattern. If any of these selections match, an alert is triggered. Given the critical nature of Cobalt Strike in cyberattacks, especially in the post-exploitation phase, this rule is vital in early detection efforts for organizations.