This detection rule targets the manipulation of the DNS Z flag, which is originally intended to be a reserved bit in the DNS protocol. Although the Z flag has some usage in DNSSec, it should ideally remain unset (i.e., valued at zero). If the Z flag is found to be set to a non-zero value, and DNSSec is being utilized, it could indicate potential misuse where legitimate domains are being excluded from checks, presenting opportunities for bad actors to exploit this configuration. The rule seeks to identify instances where multiple DNS queries containing abnormal Z flag settings occur in quick succession, which could indicate an operation aimed at accessing sensitive files. The conditions that trigger the detection require the Z flag to be set, the domain name to likely be a valid one, and the query to avoid a set of predefined conditions that include certain top-level domains and query types known to be benign. This Sigma rule functions within a broader threat-hunting framework, helping analysts pinpoint potentially malicious DNS activities efficiently.