Skip to main content
Sumo Logic

Lab 11 - Creating Your Own Lookup

Create a lookup table of your own identified malicious IPs to reference in other queries.
Using the save and lookup operators, you are able to create your own custom list and run lookups against this list. In this lab, you will create a list of blacklisted IP addresses. This list is populated with IP addresses that Snort has identified with a Priority 1 alert.


  1. Use the save operator to store the list of IP addresses in your custom list

_sourceCategory=labs/snort and "[Priority: 1]"

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count src_ip

| src_ip as blacklisted

| fields - src_ip

| save append myfolder/<your_name>

  1. To verify the creation of your list, run  the following query:

cat myfolder/<your_name>

  1. To achieve more realistic results in step 4, use the blacklist provided here:

cat shared/snort_alerts

  1. Use the lookup operator to do a lookup against a custom file:

_sourceCategory=labs/snort "[Priority: 1]"

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| lookup blacklisted from shared/snort_alerts on blacklisted=src_ip

| where !isEmpty(blacklisted)