---
title: >-
  Network Traffic observed associated with a malicious IP Address identified by
  Recorded Future
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Network Traffic observed associated
  with a malicious IP Address identified by Recorded Future
---

# Network Traffic observed associated with a malicious IP Address identified by Recorded Future

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:threat-intelTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1566-phishing](https://attack.mitre.org/techniques/T1566) 
## Goal{% #goal %}

Detect network traffic to or from IP addresses identified as malicious by Recorded Future threat intelligence.

## Strategy{% #strategy %}

This rule monitors network activity logs (authentication, network activity, and web activity events) enriched with Recorded Future threat intelligence. It triggers when a host successfully communicates with an IP address flagged by malicious by Recorded Future

## Triage & Response{% #triage--response %}

1. Identify the source host `{{@ocsf.src_endpoint.ip}}` involved in the suspicious communication.
1. Investigate whether the host is actively communicating with a known C2 IP. Isolate the host immediately and begin incident response procedures.
1. Review the full network activity from the affected host for evidence of lateral movement, data exfiltration, or additional C2 channels.