This detection rule is designed to identify DNS queries directed at domains corresponding to previously decommissioned Amazon S3 buckets. Such activity is significant as it indicates potential attempts by attackers to recreate these deleted buckets, which may have been publicly accessible at one point. If successful, attackers could misuse these buckets to host malicious content or exfiltrate data, leveraging the names of the buckets that are still referenced by legitimate applications. The rule operates by querying the Network Resolution data model to track DNS queries, filtering results that match known decommissioned bucket names through an established lookup. Furthermore, it necessitates appropriate data ingestion and mapping to ensure effective detection.