Skip to main content

threatip Search Operator

The threatip operator looks for suspicious IP addresses in your log data. Using the operator provides security analytics that help you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.

Behind the scenes, the threatip operator uses sumo://threat/cs in log search queries to correlate data in the _sumo_global_feed_cs threat intelligence source. The threatip operator uses the same lookup as the Threat Intel Quick Analysis app but is simplified for only IP threat lookups.

The only Indicators of Compromise (IOC) supported is IP address.

Syntax

threatip <ip_address_field>

Response Fields

  • actor
  • malicious_confidence
  • raw_threat
  • type

Example

_sourceCategory=Labs/*
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| threatip ip_address
| where !(isNull(malicious_confidence))
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.