I ran into the same issue. I created a lookup table containing known dns domain names, such as "office365.com" and changed the the "Excessive DNS Queries " rule in ES to: | tstats summariesonly=true allow_old_summaries=true values(host) as host count from datamodel=Network_Resolution.DNS where "DNS.message_type"="QUERY" NOT [| inputlookup known_dns_queries.csv | rename query as DNS.query] by "DNS.src","DNS.query",sourcetype, _time span=30min | rename "DNS.src" as "src", "DNS.query" as query ... View more