threatip Search Operator
The threatip operator looks for suspicious IP addresses in your log data. Using the operator provides security analytics that help you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.
Behind the scenes, the threatip operator uses sumo://threat/cs in log search queries to correlate data in the _sumo_global_feed_cs threat intelligence source. The threatip operator usesĀ the sameĀ lookup as the Threat Intel Quick Analysis appĀ but is simplified for only IP threat lookups.
The onlyĀ IndicatorsĀ of Compromise (IOC) supported is IP address.
Syntaxā
threatip <ip_address_field>
ResponseĀ Fieldsā
- actor
- malicious_confidence
- raw_threat
- type
Exampleā
_sourceCategory=Labs/*
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| threatip ip_address
| where !(isNull(malicious_confidence))