• Are there instances of beaconing observed in my network?

• What external destinations are being beaconed to?

• Which hosts are potentially infected, not just the IP address?

• Does the beaconing cadence demonstrate unusual request/response frequency?

• Is the payload size something I would normally see?

• Does the beacon have a rare or unusual JA3 hash?

• Is the traffic going to unusual external destination?

• What is the privilege level of the hosts that are beaconing?

• Are beaconing sessions obfuscated within a single, long connection?

• Does the connection use unusual services and protocols?

References:

• https://www.activecountermeasures.com/threat-simulation-beacons

• https://www.blackhillsinfosec.com/detecting-malware-beacons-with-zeek-and-rita/

• https://www.vectra.ai/blogpost/not-all-data-is-created-the-same