Skip to main content

Find Threats with Log Queries

Use the lookup search operator​

The Sumo Logic threat intelligence sources in the threat intelligence datastore contain threat indicators supplied by third party intel vendors and maintained by Sumo Logic:
Global feed in the Threat Intelligence tab

Any Sumo Logic user can use the lookup search operator to point to a Sumo Logic threat intelligence source to search for potential threats:

  • SumoLogic_ThreatIntel. Use sumo://threat/i471 in log search queries.
  • _sumo_global_feed_cs. Use sumo://threat/cs in log search queries.

For example:

_sourceCategory=cylance "IP Address"
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where !isNull(ip_address)
| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address

For more information, see Threat Intel optimization in the Threat Intel Quick Analysis article.

tip

All the dashboards in the Threat Intel Quick Analysis app use threat intelligence sources to find threats. To see the queries, open a dashboard in the app, click the three-dot kebab in the upper-right corner of the dashboard panel, and select Open in Log Search. You can copy these queries and use them as templates for your own queries to find threats.

Use the threatip search operator​

To find threats using IP addresses, use the threatip search operator. This operator correlates data in the Sumo Logic threat intelligence sources based on IP addresses from your log data.

For more information, see threatip Search Operator.

Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.