Take any event, add to this event a field called clientip with eval. I took an ip from the project honeypot website that showed bad activity. then doing the scripted lookup. the scripted lookup gives back a new field called threatscore. The ip associated with bad activity should have a threatscore between 1-100 - not 0!