Goal

Detects authentication, network, and API activity in OCSF-normalized logs where the source endpoint IP matches Datadog Security Research threat intelligence as malicious.

Strategy

This rule monitors OCSF events whose class_uid falls in authentication (3001 through 3006), network (4001 through 4014), or application activity (6001 through 6007) ranges, with threat enrichment where @threat_intel.results.source.name is Datadog Security Research, @threat_intel.results.intention is malicious, and @threat_intel.indicators_matched is IP.

Triage & Response

• Examine {{@ocsf.src_endpoint.ip}} against typical geography, ASN, and carrier patterns for your organization and the affected service.
• Review {{@ocsf.metadata.event_code}} and surrounding OCSF attributes to determine which operation or API call occurred and which resource was touched.
• Identify the initiating principal when present, using {{@ocsf.actor.user.uid}} or related user fields tied to the event.
• Check Cloud SIEM IP investigation workflows or saved views for additional events involving the same source address.
• Determine whether the traffic aligns with approved scanners, third-party integrations, or expected outbound paths rather than unexpected client behavior.