Botnets attempt connectivity to a known or reported botnet or botnet controller. They also have been rejected or banned consecutive times from a legitimate IRC network.
Hosts suspected of botnet activity should be considered compromised and checked for signs of infection or data theft. The malware associated with these types of incidents are usually not found by most A/V products and are ever evolving. Most botnet incidents are vetted by a security analyst prior to being flagged as incidents as to avoid potential false positives. Most botnet incidents are a 1-1 type if incident where they exhibit a very specific behavior that is difficult to spoof. Other inputs include flags from outside, vetted and credible sources of the activity.