One of the widely used tool for red-teaming/attackers are from Cobalt Strike which ExtraHop ML actually covers them under the “Application Layer Protocol, T1071”.
What information are being used by ExtraHop to determine that this bunch of traffic can be classified as “Cobalt Strike”?
I only managed to see details about what specific Cobalt Strike does in terms of the attack background but is unable to clearly identify what is being looked out for (e.g. user agent? some keywords in the URI?).