The rule for detecting unusual DNS queries is based on machine learning algorithms that analyze DNS traffic patterns to identify rarities and anomalies. This detection rule aims to capture signs of unauthorized access or malicious activities such as exfiltration, command-and-control operations, or persistence mechanisms, which can occur when uncommon DNS domains are queried due to interactions with malicious software. Triggering potential alerts can result from various incidents including a user clicking on a suspicious link or malware querying its command-and-control server. It requires data from Elastic Defend or Network Packet Capture to function effectively and is set to analyze DNS queries over a 45-minute window at 15-minute intervals. The rule also incorporates considerations for false positives, such as when legitimate software performs infrequent DNS queries to uncommon domains. Consequently, the rule emphasizes a thorough investigation, alerting analysts to review DNS logs, source IPs, and associated abnormal network activities.