Skip to main content

threatip Search Operator

The threatip operator correlates data in the Sumo Logic threat intelligence sources based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.

The threatip operator uses the same lookup as the Threat Intel Quick Analysis app but is simplified for only IP threat lookups.

The only Indicators of Compromise (IOC)] supported is IP address.

Syntax​

threatip <ip_address_field>

Response Fields​

  • actor
  • malicious_confidence
  • raw_threat
  • type

Example​

_sourceCategory=Labs/*
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| threatip ip_address
| where !(isNull(malicious_confidence))
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.