threatip Search Operator
The threatip operator correlates data in the _sumo_global_feed_cs threat intelligence source based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.
The threatip operator usesĀ the sameĀ lookup as the Threat Intel Quick Analysis appĀ but is simplified for only IP threat lookups.
The onlyĀ IndicatorsĀ of Compromise (IOC)] supported is IP address.
Syntaxā
threatip <ip_address_field>
ResponseĀ Fieldsā
- actor
- malicious_confidence
- raw_threat
- type
Exampleā
_sourceCategory=Labs/*
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| threatip ip_address
| where !(isNull(malicious_confidence))