Skip to main content
Sumo Logic

Lab 11 - Creating Your Own Lookup

Create a lookup table of your own identified malicious IPs to reference in other queries.
Using the save and lookup operators, you are able to create your own custom list and run lookups against this list. In this lab, you will create a list of denylisted IP addresses. This list is populated with IP addresses that Snort has identified with a Priority 1 alert.


  1. Use the save operator to store the list of IP addresses in your custom list. Using the below query, replace <your_name> appearing on the last line, with a name of your choice.

_sourceCategory=labs/snort and "[Priority: 1]"

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count src_ip

| src_ip as denylisted

| fields - _count,src_ip

| save append myfolder/<your_name>

  1. To verify the creation of your list, run  the following query.

cat myfolder/<your_name>

  1. To achieve more realistic results in step 4, use the existing denylist provided below.

cat shared/snort_alerts

  1. Use the Lookup operator to do a lookup against the denylist shared/snort_alerts file. If your labs/snort logs match any in the existing denylist, then their log message(s) will be displayed since we filter on not isEmpty(denylisted).

_sourceCategory=labs/snort "[Priority: 1]"

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| lookup denylisted from shared/snort_alerts on denylisted=src_ip

| where !isEmpty(denylisted)