Your SIEM generates an alert showing an internal workstation making repeated outbound connections to an external IP address on port 8443 at regular 60-second intervals. Walk through your investigation process and explain what this behavior might indicate.

Sample answer preview

This alert describes a pattern known as beaconing, which is one of the most important indicators of a potential command-and-control (C2) compromise. The regular 60-second interval and the use of a non-standard HTTPS port (8443 instead of 443) make this especially suspicious.