Detection rules › Splunk
Windows AI Platform DNS Query
The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071.004 Application Layer Protocol: DNS |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search EventCode=22 QueryName IN ("api.openai.com", "router.huggingface.co")
Stage 2: lookup
lookup <lookup> browser_process_name, isAllowed, process_name
Stage 3: search
search isAllowed!=true
Stage 4: rename
rename
Stage 5: stats
stats BY answer, answer_count, dest, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, Image, vendor_product, QueryName, QueryResults, QueryStatus
Stage 6: search
search
Stage 7: search
search
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
QueryName | in |
|
isAllowed | ne |
|