When using the Threat Intel app (which you will install in a later lab), no results is a good thing, as this means you do not have malicious threats in your logs. However, in order to test the lookup functionality, the Threat Intel FAQs provide samples for each type of IOC. Let's run a simple query with an actual IOC. you can replace the IP address with any other IOC in the FAQs.
| limit 1 // this line allow us to query just one result. Notice we haven't defined a scope because we're only checking a manually entered IP against the CrowdStrike database.
| "22.214.171.124" as my_threat
| lookup type, actor, raw, threatlevel as malicious_confidence
from sumo://threat/cs on threat = my_threat
| if (isNull(malicious_confidence),"No","Yes") as DataExist //checks to see if any value is returned for the field "malicious confidence" from CrowdStrike
| fields my_threat,DataExist, malicious_confidence, actor //formats fields
You can also switch the IP address referenced ("126.96.36.199") with whichever IP address you would like to check against CrowdStrike. If no data exist for the IP address, you'll see "no" for the "data exist" field.