This detection rule identifies failed DNS zone transfers on a Windows DNS server, which may indicate reconnaissance attempts by attackers. A DNS zone transfer allows for the replication of the DNS database across servers. When a zone transfer fails, it’s a signal that unauthorized access attempts could be taking place or that server misconfigurations exist. This rule specifically triggers on Event ID 6004, which is generated when a DNS zone transfer has not been completed successfully. By monitoring such events, administrators can respond proactively to potential security threats targeting DNS infrastructure.