This detection rule identifies connections flagged with a high Encrypted Visibility Engine (EVE) threat confidence score (equal to or greater than 80), indicating a potential malware command and control (C2) presence within encrypted traffic based on Cisco Secure Firewall Threat Defense logs. The threat confidence score is derived from machine learning models and behavioral analyses, focusing on the EVE_ThreatConfidencePct field, with higher scores suggesting issues such as remote access tools or suspicious tunneling behavior. It captures and evaluates events connected with compromised hosts suspected of conducting covert communications over TLS. The rule utilizes a specific search query to gather relevant connection events and applies statistical aggregation to track event instances over time, ultimately enhancing the ability to promptly identify and respond to such malicious activity.