Update (#5538)

jpipkin1 · web-flow · commit 2b9060177523 · 2025-07-01T16:59:42.000Z
diff --git a/docs/search/search-query-language/search-operators/threatip.md b/docs/search/search-query-language/search-operators/threatip.md
@@ -4,14 +4,14 @@ title: threatip Search Operator
 sidebar_label: threatip
 ---
 
-The `threatip` operator correlates data in the [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
+The `threatip` operator looks for suspicious IP addresses in your log data. Using the operator provides security analytics that help you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.
+
+Behind the scenes, the `threatip` operator uses `sumo://threat/cs` in log search queries to correlate data in the `_sumo_global_feed_cs` [threat intelligence source](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources). The `threatip` operator uses the same lookup as the [Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) but is simplified for only IP threat lookups. 
 
 <!-- Add this per DOCS-815:
 You can also use the [`threatlookup`](/docs/search/search-query-language/search-operators/threatlookup/) search operator to search threat intelligence indicators.
 -->
 
-The `threatip` operator uses the same lookup as the [Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis) but is simplified for only IP threat lookups. 
-
 The only Indicators of Compromise (IOC)] supported is IP address.
 
 ## Syntax
diff --git a/docs/security/threat-intelligence/find-threats.md b/docs/security/threat-intelligence/find-threats.md
@@ -33,7 +33,7 @@ All the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/secur
 
 ## Use the threatip search operator
 
-To find threats using IP addresses, use the `threatip` search operator. This operator correlates data in the [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) based on IP addresses from your log data.
+To find threats using IP addresses, use the `threatip` search operator. This operator uses `sumo://threat/cs` in log search queries to correlate data in the `_sumo_global_feed_cs` [threat intelligence source](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources).
 
 For more information, see [threatip Search Operator](/docs/search/search-query-language/search-operators/threatip/).
 
