From 1a180c298a4cda713eedffdad52aa3cb8815e058 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 11 Dec 2025 11:55:37 -0600 Subject: [PATCH 1/2] DOCS-815 - Add 'Returned results' section --- .../search-operators/threatlookup.md | 25 +++++-------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/docs/search/search-query-language/search-operators/threatlookup.md b/docs/search/search-query-language/search-operators/threatlookup.md index a957acee09..685bc58f3c 100644 --- a/docs/search/search-query-language/search-operators/threatlookup.md +++ b/docs/search/search-query-language/search-operators/threatlookup.md @@ -134,17 +134,16 @@ You cannot use the cat search operator with the `SumoLogic_ThreatIntel` source. -## Upcoming change +## Returned results -The behavior of the `threatlookup` operator is changing in an upcoming release. Previously, rows without matches in threat intelligence sources were excluded from search results. With the new behavior, `threatlookup` will return one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, `_threatlookup.source`, `_threatlookup.confidence`, etc.) will be `null`. +The `threatlookup` operator returns one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, `_threatlookup.source`, `_threatlookup.confidence`, etc.) will be `null`. -### Impact - -If you have saved queries, dashboards, or other workflows relying on the current behavior, they may return additional rows after this change. This could require you to update your logic to explicitly exclude rows with no matches. +For example, given the log message: +`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"` -### How to adapt +One result row is returned, containing `_threatlookup.*` fields as `null`. -To retain the previous filtering and exclude rows without threat intel matches, add an explicit non-match filtering check, for example: +If you want to exclude rows without threat intel matches, add an explicit non-match filtering check, for example: ``` _index=sec_record* @@ -155,18 +154,6 @@ _index=sec_record* | count by _timeslice ``` -If you do not add this check, one row will be returned for every input, regardless of matches. -For example, given the log message: -`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"` - -The previous query was: - -``` -* | parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" -| threatlookup singleIndicator client_ip -``` -Before, no result is returned if `198.51.100.7` is not in your threat intel sources. -After, one result row is returned, containing `_threatlookup.*` fields as `null`. From a2d35f6ca60426f96eba4fcaeefccfe76ec6a7f5 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 15 Dec 2025 08:59:50 -0600 Subject: [PATCH 2/2] Updates from review by Madhur Mishra --- .../search-operators/threatlookup.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/search/search-query-language/search-operators/threatlookup.md b/docs/search/search-query-language/search-operators/threatlookup.md index 685bc58f3c..6c5351cc72 100644 --- a/docs/search/search-query-language/search-operators/threatlookup.md +++ b/docs/search/search-query-language/search-operators/threatlookup.md @@ -138,10 +138,18 @@ You cannot use the cat search operator with the `SumoLogic_ThreatIntel` source. The `threatlookup` operator returns one result row for each input indicator, even if there is no threat intel match. In such cases, the normalized threatlookup fields (for example, `_threatlookup.source`, `_threatlookup.confidence`, etc.) will be `null`. -For example, given the log message: -`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"` +For example, let's say you have this log message: +
`198.51.100.7 - - [02/Dec/2025:08:40:01 +0000] "GET /admin/login.php HTTP/1.1" 404 250 "-" "Mozilla/5.0"` -One result row is returned, containing `_threatlookup.*` fields as `null`. +When you run this query: +``` +| parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" +| threatlookup singleIndicator client_ip +``` + +One result row would be returned, containing `_threatlookup.*` fields as null if `198.51.100.7` is not in your threat intel sources. Otherwise, `threatlookup` fields would get enriched accordingly. + +### Exclude rows without threat intel matches If you want to exclude rows without threat intel matches, add an explicit non-match filtering check, for example: