we ingest dns logs into Elasticsearch.
the format is
domain -> whole domain -> deeper.cdn.example.com
domain1 -> com
domain2 -> example
domain3 -> cdn
domain4 -> deeper
Now we want to create a siem detection alert if a unusual amount of (sub-)subdomains for a main (sub)domain is resolved.
This should work on all level except for the first (x.com,y,com,and so on).
Any best practice for this usecase?