Find Threats with Log Queries
Use the lookup search operator​
The Sumo Logic threat intelligence sources in the threat intelligence datastore contain threat indicators supplied by third party intel vendors and maintained by Sumo Logic:
Any Sumo Logic user can use the lookup
search operator to point to a Sumo Logic threat intelligence source to search for potential threats:
SumoLogic_ThreatIntel
. Usesumo://threat/i471
in log search queries._sumo_global_feed_cs
. Usesumo://threat/cs
in log search queries.
For example:
_sourceCategory=cylance "IP Address"
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where !isNull(ip_address)
| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
For more information, see Threat Intel optimization in the Threat Intel Quick Analysis article.
All the dashboards in the Threat Intel Quick Analysis app use threat intelligence sources to find threats. To see the queries, open a dashboard in the app, click the three-dot kebab in the upper-right corner of the dashboard panel, and select Open in Log Search. You can copy these queries and use them as templates for your own queries to find threats.
Use the threatip search operator​
To find threats using IP addresses, use the threatip
search operator. This operator correlates data in the Sumo Logic threat intelligence sources based on IP addresses from your log data.
For more information, see threatip Search Operator.