You can write a D&R rule to detect a specific domain using the DNS_REQUEST event.
If you add the rule below you'll get a detection if an endpoint makes a DNS request to either example.com and example.net
Detect
rules:
- case sensitive: false
op: is
path: event/DOMAIN_NAME
value: example.com
- case sensitive: false
op: is
path: event/DOMAIN_NAME
value: example.net
events:
- DNS_REQUEST
op: or
Response
- name: Test detection for either example.com -or- example.net
action: report
To make this event fire, on the endpoint open up a web browser and browse to example.com
You can expect a detection to appear in LimaCharlie for this detection.