Skip to main content

threatlookup Search Operator

Beta

The threatlookup operator identifies suspicious indicators of compromise in your data which match your threat intelligence sources. Using this operator provides security analytics to help you to detect threats in your environment.

This operator supersedes the more limited threatip search operator, allowing matches against multiple sources for multiple kinds of indicators.

Syntax

threatlookup [singleIndicator] [source="<source_value>"] <indicator>

Where:

  • singleIndicator returns the single best matching threat intelligence entry. (In the response, num_matches indicates how many total matches across your sources there are.) If singleIndicator is not specified, all matching entries from your intelligence sources are returned in separate rows.

    Note that singleIndicator returns the most recent, highest confidence entry from your sources. If there's a tie, the winning entry is whichever the backend storage returned first.

  • source is the threat intelligence source to search for the threat intelligence indicator. If source is not specified, all sources are searched.

  • <indicator> is the field name containing an indicator to look up. At least one field name is required.

Response fields

Query responses return the following normalized indicator fields, which will all be null if no matching record is found:

  • actors
  • confidence
  • fields
  • id
  • imported
  • indicator
  • kill_chain
  • num_matches (if singleIndicator is used)
  • source
  • threat_type
  • type
  • updated
  • valid_from
  • valid_until

Examples

Single best match for srcDevice_ip with confidence greater than 50
_index=sec_record*
| threatlookup singleIndicator srcDevice_ip
| where _threatlookup.confidence > 50
| timeslice 1h
| count by _timeslice
Matches in a 'mysource' custom source for srcDevice_ip with confidence greater than 50
_index=sec_record*
| threatlookup source="mysource" srcDevice_ip
| where _threatlookup.confidence > 50
| timeslice 1h
| count by _timeslice

Format timestamp results

Timestamps for the following response fields return results as an integer because they use Unix time (also known as epoch time):

  • _threatlookup.imported
  • _threatlookup.valid_from
  • _threatlookup.valid_until
  • _threatlookup.updated

To convert the timestamp results to a readable output, you must format it in the search itself with formatDate. For example:

_index=sec_record*
| threatlookup source="mysource" device_ip
| formatDate(_threatlookup.valid_until, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'") as valid_until

Returned results

The threatlookup operator returns one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, _threatlookup.source, _threatlookup.confidence, etc.) will be null.

For example, let's say you have this log message:
198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"

When you run this query:

| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| threatlookup singleIndicator client_ip

One result row would be returned, containing _threatlookup.* fields as null if 198.51.100.7 is not in your threat intel sources. Otherwise, threatlookup fields would get enriched accordingly.

Exclude rows without threat intel matches

If you want to exclude rows without threat intel matches, add an explicit non-match filtering check, for example:

_index=sec_record*
| threatlookup singleIndicator srcDevice_ip
| where _threatlookup.confidence > 50
| where !isNull(_threatlookup.source)
| timeslice 1h
| count by _timeslice
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.