An anomaly detection rule for Windows endpoints that flags DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for Windows Defender (WD) definition updates when initiated by a non-system process. The rule relies on Sysmon EventID 22 DNS query events and filters out queries originating from known legitimate Windows system and Defender update paths (e.g., Office, Windows Defender, Windows System32, SysWOW64, and related Defender folders) to reduce false positives. When a non-system process queries the WD update domains, the detection aggregates context around the destination host, process details, and the DNS query (QueryName, QueryResults, reply_code_id, etc.), producing alerts with first/last seen times and associated process information. The intermediate finding notes the activity as “Non-System process $Image$ queried Windows Defender Definition Updates domain $QueryName$ on $dest$.” The rule is designed for endpoint telemetry ingested from EDR tools and mapped to the CIM Endpoint data model, with supporting drilldowns and risk analytics. It is associated with MITRE ATT&CK techniques T1071.001 (Application Layer Protocol: DNS) and T1068 (Privilege Escalation) and includes metadata such as a related CVE (CVE-2026-33825). The implementation guidance emphasizes ingesting complete command lines and process metadata, normalizing fields to the Processes node, and leveraging the Splunk CIM to normalize data and accelerate detection. This rule targets BlueHammer activity that leverages update channels for exploit delivery and is intended for Splunk environments (Splunk Enterprise / Splunk ES / Splunk Cloud).