This detection rule identifies the resolution of .onion addresses by monitoring DNS query events, specifically targeting DNS Client events on Windows systems. The focus is on EventID 3008, which signifies DNS queries, and looks for any queries containing '.onion', an indication of probable access to the Tor network. The ability to detect such queries is crucial for identifying command-and-control communications that utilize the anonymity of the Tor network. Ensuring that the Microsoft-Windows-DNS Client Events/Operational Event Log is enabled and collected is essential for this rule to function effectively. The potential for false positives is minimal, making this a reliable indicator of possible malicious activity related to the use of Tor.