This detection rule identifies potentially malicious DNS queries that include Base64 encoded subdomains. Such encoded queries may indicate attempts to obfuscate data exfiltration activities by disguising the actual data being sent through DNS queries. The rule is designed to trigger on log types from Crowdstrike (FDREvent), AWS VPC DNS, and Cisco Umbrella, examining the 'query_name' field for Base64 patterns. The severity level is set to medium, highlighting the need for awareness but not immediate action. This rule runs in a disabled state by default, which allows for testing in a controlled environment before deployment. The deduplication period is set to 60 minutes, minimizing repetitive alerts on the same data exfiltration attempt. The tests validate both positive and negative scenarios to ensure the rule functions as intended without false positives.