This detection rule identifies endpoints that have made DNS queries to more than five distinct DNS servers over a specified timeframe. The search query utilizes the Splunk data model `Network_Resolution` to aggregate DNS query data, counting distinct DNS servers contacted by each source IP (`DNS.src`). If an endpoint exceeds the threshold of five distinct DNS servers, it could indicate unusual behavior, such as potential DNS hijacking, host redirection, or command-and-control operations. This analysis aids in monitoring network activities and helps highlight endpoints that may require further investigation.