Do you have a sample of the log entry that you want to base your rule on? Once I see the associated fields with that particular entry I can advise on the rule & alert.
The correlation appears to be looking for a "HostIncident," which can only be generated by the LEM itself. Unless you have another rule that looks for those DNS events under the appropriate taxonomy, like an ObjectAudit or other event calls, and makes a host incident, your rule will probably never fire. Seeing how the SEM is normalizing the event so the appropriate correlations can be chosen will help.