This detection rule is designed to identify DNS queries directed at .onion addresses, which are commonly associated with the Tor network. By monitoring DNS queries for any instance where the QueryName contains '.onion', this rule aims to uncover potential attempts to communicate with hidden services over Tor, a common method used to bypass censorship and conceal user identities. As connectivity to .onion sites may indicate unauthorized or malicious activities, such as data exfiltration or command and control communication, this rule is classified with a high severity level. It is implemented using Sysmon on Windows systems, leveraging DNS query data to detect suspicious behavior efficiently. Given the nature of Tor, false positives may arise, although their frequency is currently categorized as unknown. Security teams utilizing this rule should be prepared to investigate or respond to these alerts to ensure network integrity and mitigate potential threats.