Detecting DNS Exfiltration

Hello,
we ingest dns logs into Elasticsearch.
the format is
domain -> whole domain -> deeper.cdn.example.com
domain1 -> com
domain2 -> example
domain3 -> cdn
domain4 -> deeper

Now we want to create a siem detection alert if a unusual amount of (sub-)subdomains for a main (sub)domain is resolved.

Example:
6346436.evil.c2control.com
3523.evil.c2control.com
3524677.evil.c2control.com
352557.evil.c2control.com
436246463.evil.c2control.com

This should work on all level except for the first (x.com,y,com,and so on).

Any best practice for this usecase?
thanks

See Security anomaly detection configurations | Machine Learning in the Elastic Stack [7.15] | Elastic for some built in options