The objective is to track a single IP address with 50 or more NXDOMAIN responses over a 10 minute period in order to detect fast flux and DGA. I have continuously been getting errors for variables not being used in the outcome section “semantic analysis: event variable e and its child variables not used in condition section”. Here is the alert logic 
 

rule 034_high_volume_of_NXDOMAIN_DNS_Responses {

/* A high volume of NXDOMAIN responses from the DNS server for an endpoints queries can indicate malware may have been installed and is attempting to reach out

to a command and control (C2) server(s). NXDOMAIN responses will occur due to the use of Fast Flux DNS/ DGA due to a rotating DNS infrastructure on the attacker side.

*/

  meta:

    author = "REDACTED"

    description = "Detects a high volume of NXDOMAIN responses from the Infoblox DNS server for a single hosts DNS query requests"

    severity = "Medium"

    playbook = "Network Alerts"

    mitre_attack_tactic = "Brute Force"

    mitre_attack_technique = "Domain Generation Algorithms"

    mitre_attack_url = "https://attack.mitre.org/techniques/T1568/"

  events:

    $e.metadata.log_type = "INFOBLOX_DNS"

    $e.metadata.event_type = "NETWORK_DNS"

    // Track NXDOMAIN queries from a single host

    (

        $e.metadata.product_event_type = /\[DNS Response\] - DNS Response IN (.*) NXDOMAIN/ or

        $e.security_result.action_details = "NXDOMAIN" or

        $e.network.dns.response_code = "NXDOMAIN"

    )

   // take IP as a variable for use in match section

    $e.principal.asset.ip[0] = $src_host

  match:

    // alert logic will match the source host queries over a 10 minute period

    $src_host over 10m

  outcome:

    // grab a count of the NXDOMAIN events on a single IP

    $nxdomain_count_ = count($src_host)

  condition:

    // 50 NXDOMAIN query responses over a 10 minute period from a single host

    $nxdomain_count_ >= 50

 }

Can someone assist in how the alert needs to be structured in order for the alert to push?