Skip to content

Commit 1a180c2

Browse files
committed
DOCS-815 - Add 'Returned results' section
1 parent a236085 commit 1a180c2

File tree

1 file changed

+6
-19
lines changed

1 file changed

+6
-19
lines changed

docs/search/search-query-language/search-operators/threatlookup.md

Lines changed: 6 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -134,17 +134,16 @@ You cannot use the cat search operator with the `SumoLogic_ThreatIntel` source.
134134

135135
<!-- Remove the following "Upcoming change" section at GA. -->
136136

137-
## Upcoming change
137+
## Returned results
138138

139-
The behavior of the `threatlookup` operator is changing in an upcoming release. Previously, rows without matches in threat intelligence sources were excluded from search results. With the new behavior, `threatlookup` will return one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, `_threatlookup.source`, `_threatlookup.confidence`, etc.) will be `null`.
139+
The `threatlookup` operator returns one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, `_threatlookup.source`, `_threatlookup.confidence`, etc.) will be `null`.
140140

141-
### Impact
142-
143-
If you have saved queries, dashboards, or other workflows relying on the current behavior, they may return additional rows after this change. This could require you to update your logic to explicitly exclude rows with no matches.
141+
For example, given the log message:
142+
`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"`
144143

145-
### How to adapt
144+
One result row is returned, containing `_threatlookup.*` fields as `null`.
146145

147-
To retain the previous filtering and exclude rows without threat intel matches, add an explicit non-match filtering check, for example:
146+
If you want to exclude rows without threat intel matches, add an explicit non-match filtering check, for example:
148147

149148
```
150149
_index=sec_record*
@@ -155,18 +154,6 @@ _index=sec_record*
155154
| count by _timeslice
156155
```
157156

158-
If you do not add this check, one row will be returned for every input, regardless of matches.
159157

160-
For example, given the log message:
161-
`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"`
162-
163-
The previous query was:
164-
165-
```
166-
* | parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
167-
| threatlookup singleIndicator client_ip
168-
```
169158

170-
Before, no result is returned if `198.51.100.7` is not in your threat intel sources.
171159

172-
After, one result row is returned, containing `_threatlookup.*` fields as `null`.

0 commit comments

Comments
 (0)