Adjustment to nodrop

Author: jpipkin1

docs/integrations/amazon-aws/waf.md

@@ -58,7 +58,7 @@ The Sumo Logic app for AWS WAF analyzes traffic flowing through AWS WAF and auto
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip nodrop
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
 ```
 <!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"

docs/integrations/security-threat-detection/threat-intel-quick-analysis.md

@@ -41,7 +41,7 @@ _sourceCategory=cylance "IP Address"
 | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where !isNull(ip_address)
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address nodrop
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 ```
 
 <!-- Replace section content with this after `sumo://threat/i471` is replaced by `threatlookup`:

docs/search/search-query-language/search-operators/tolowercase-touppercase.md

@@ -52,7 +52,7 @@ which provides results like:
 | toLowerCase ("B101CD29E18A515753409AE86CE68A4CEDBE0D640D385EB24B9BBB69CF8186AE") as hash
 | count hash
 | fields -_count
-| lookup raw from sumo://threat/cs on threat = hash{code} nodrop
+| lookup raw from sumo://threat/cs on threat = hash{code}
 ```
 
 <!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:

docs/search/subqueries.md

@@ -386,7 +386,7 @@ _sourceCategory=weblogs
 | where connectionDirection = "OUTBOUND"
 | json field=remoteipdetails "ipAddressV4" as src_ip
 | lookup type, actor, raw, threatlevel from sumo://threat/cs on src_ip=threat
-| where threatlevel = "high" nodrop
+| where threatlevel = "high"
 | compose src_ip]
 ```
 <!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:

docs/security/additional-security-features/threat-detection-and-investigation.md

@@ -288,7 +288,7 @@ We need a way to see if any of the IP addresses we have logged are known threats
    _sourceCategory=Labs/AWS/CloudTrail
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" multi
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address nodrop
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
    | where type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | parse field=raw "\"ip_address_types\":[\"*\"]" as ip_address_types nodrop

docs/security/threat-intelligence/about-threat-intelligence.md

@@ -134,9 +134,9 @@ In most cases, no change is needed if you use the [lookup](/docs/search/search-q
 
 You may need to make changes in these scenarios:
 * The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them.
-* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause. In the following excerpt from a query, `nodrop` is added at the end of the line where `field=raw` is called:
+* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data after April 30, 2025, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause when you use `parse field=raw` or `json field=raw`. In the following excerpt from a query, `nodrop` is added at the end of the line where `json field=raw` is called:
    ```
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address 
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
    | json field=raw "labels[*].name" as label_name nodrop
    ```
 

docs/security/threat-intelligence/find-threats.md

@@ -20,7 +20,7 @@ _sourceCategory=cylance "IP Address"
 | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where !isNull(ip_address)
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address nodrop
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 ```
 
 For more information about how to use `sumo://threat/cs` in queries, see [Threat Intel optimization](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) in the *Threat Intel Quick Analysis* article.