This detection rule identifies command and control (C2) beaconing behavior through web traffic, a common tactic leveraged by attackers to maintain control over compromised systems. Attackers deploy C2 servers to communicate commands to infected hosts. These hosts often send periodic, predictable requests (beacons) back to the C2 server to check for updates, making this behavior detectable through network traffic analysis. The rule utilizes Sysmon EventCode 3 to monitor specific outbound traffic to common web ports (80, 443, 8080, 8443), looking for patterns indicative of C2 communication. The logic filters out local traffic and checks for signs of unusual connections that could suggest compromise. Given the nature of C2 operations, this rule is particularly vital for organizations under threat from known adversaries such as APT29, APT37, and various malware families including Conti and QakBot. This detection rule can be crucial in the early identification and response to potential intrusions.