index=dns query="ioc1.ic1" | stats count by src_ip, query_type, response (for SIEM):
rule IOC1_IC1_Config strings: $c2 = "ioc1.ic1" ascii wide nocase condition: $c2 ioc1.ic1
title: Suspicious DNS Request to IOC1.IC1 status: experimental logsource: product: windows service: dns-client detection: selection: QueryName|contains: 'ioc1.ic1' condition: selection (for malware config extraction): index=dns query="ioc1