The DNS Tunneling detection rule utilizes a machine learning model to identify anomalous behavior in DNS query volumes directed at single top-level domains, which may indicate DNS tunneling activities often associated with command-and-control operations, persistence mechanisms, or data exfiltration. The discerned high frequency of DNS queries to a particular domain is a hallmark of tools like dnscat, which exploit the DNS protocol for covert communication. This rule is configured to trigger alerts when the amount of queries exceeds a set anomaly threshold of 50 within a specified timeframe of 45 minutes, evaluated every 15 minutes. Users should be aware of potential false positives, particularly from legitimate applications generating large DNS queries. To effectively utilize this rule, users must ensure proper integration with Elastic Defend or Network Packet Capture, and they must configure associated machine learning jobs to ensure detection capability without errors.