How to figure out if encrypted incoming traffic is malicious or benign?

I was going around when I saw a certain post about questions for SOC analysts. One of those questions (Q9) intrigues me:

Some questions

What are some ways one can figure out of some encrypted incoming traffic carries malicious some payload?