---
title: >-
  Activity observed associated with a malicious IP identified by Datadog
  Security Research
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Activity observed associated with a
  malicious IP identified by Datadog Security Research
---

# Activity observed associated with a malicious IP identified by Datadog Security Research

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:threat-intelTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1071-application-layer-protocol](https://attack.mitre.org/techniques/T1071) 
## Goal{% #goal %}

Detects authentication, network, and API activity in OCSF-normalized logs where the source endpoint IP matches Datadog Security Research threat intelligence as malicious.

## Strategy{% #strategy %}

This rule monitors OCSF events whose `class_uid` falls in authentication (`3001` through `3006`), network (`4001` through `4014`), or application activity (`6001` through `6007`) ranges, with threat enrichment where `@threat_intel.results.source.name` is `Datadog Security Research`, `@threat_intel.results.intention` is `malicious`, and `@threat_intel.indicators_matched` is `IP`.

## Triage & Response{% #triage--response %}

- Examine `{{@ocsf.src_endpoint.ip}}` against typical geography, ASN, and carrier patterns for your organization and the affected service.
- Review `{{@ocsf.metadata.event_code}}` and surrounding OCSF attributes to determine which operation or API call occurred and which resource was touched.
- Identify the initiating principal when present, using `{{@ocsf.actor.user.uid}}` or related user fields tied to the event.
- Check Cloud SIEM IP investigation workflows or saved views for additional events involving the same source address.
- Determine whether the traffic aligns with approved scanners, third-party integrations, or expected outbound paths rather than unexpected client behavior.