This detection rule identifies network activities associated with Cobalt Strike Beacons, which are used by threat actors for command-and-control communications during attacks. It specifically filters out local and private IP addresses to focus on traffic that could indicate malicious behavior from external sources. The logic incorporates data collection from network logs, analyzing parameters such as the amount of data transferred, the frequency of interactions, and timing gaps between packets. This approach allows the detection of abnormal patterns that are typical of Cobalt Strike usage, leveraging statistical methods to highlight potential threats. Notably, the rule includes a lookup for DNS information to provide context on the destination IP addresses involved in the traffic, further enhancing analytics capabilities.