you need to extract the source ip address into the "clientip" field. once done you can create lookups with
| lookup threatscore clientip | table clientip threatscore
you'll then have a table with all attacking ip's + the threat score enriched. In case you have a lot of logs - you might do this via summary reports to avoid that everytime you review your report it's loaded and the lookup is generating a lot of dns requests.