This detection rule identifies suspicious processes that attempt to make DNS queries to Discord, excluding legitimate Discord paths to mitigate false positives. It utilizes Sysmon logs, specifically filtering for Event ID 22, which records DNS queries. The detection checks if the query name contains 'discord' while ensuring that the process making the request is not a known legitimate Discord application. Such behavior can indicate potential malicious activity, particularly since Discord may be exploited for the delivery of harmful payloads, exemplified during attacks like the WhisperGate campaign. Monitoring these queries helps in identifying compromised systems that attempt to communicate with potentially harmful sources, leading to further security incidents if undetected.