Skip to main content

Find Threats with Log Queries

The _sumo_global_feed_cs source in the threat intelligence datastore contains threat indicators supplied by third party intel vendors and maintained by Sumo Logic.

Global feed in the Threat Intelligence tab

Any Sumo Logic user can use this global feed to search for potential threats. To search with the global feed, use sumo://threat/cs in log search queries. For example:

_sourceCategory=cylance "IP Address"
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where !isNull(ip_address)
| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address

For more information about how to use sumo://threat/cs in queries, see Threat Intel optimization in the Threat Intel Quick Analysis article.

tip

All the dashboards in the Threat Intel Quick Analysis app use the global feed to find threats. To see the queries, open a dashboard in the app, click the three-dot kebab in the upper-right corner of the dashboard panel, and select Open in Log Search. You can copy these queries and use them as templates for your own queries to find threats.

Use the threatip search operator​

To find threats using IP addresses, use the threatip search operator. This operator correlates data in the _sumo_global_feed_cs threat intelligence source based on IP addresses from your log data.

For more information, see threatip Search Operator.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.