We’ve made IOC and object searches faster and removed the old per-org rate limit. The results you get back are the same in almost all cases, but there are a few subtle behavior changes worth knowing about:
- Searches are now case-insensitive. A search for an indicator matches regardless of letter casing (e.g. C:\Foo and c:\foo are treated as the same indicator), and the values returned in results are shown in lowercase. For the indicator types where this matters most —
- domains, IPs, and hashes — casing was never meaningful anyway.
- Wildcards are limited to the start or end of a value. You can search with a leading wildcard (value) or a trailing wildcard (value), but wildcards in the middle of a value (a*b) or single-character wildcards are no longer supported in the fast path. Those queries
- still work, just without the speed improvement.
- Counts for extremely widespread indicators are approximate. For an indicator seen across a very large number of sensors, the distinct-sensor count is a close estimate rather than an exact figure. For the vast majority of indicators, counts remain exact.
- Sensor/location lists remain capped, as they were before.
- Very recent activity is fully covered. A brand-new indicator shows up right away, and historical prevalence (7 / 30 / 365 days) is reflected as expected — so you still get an accurate “have I ever seen this, how widely, on which sensors, and when” answer.
The upshot: searches are faster, the rate limit is gone, and answers are effectively the same, with case-insensitive matching, lowercase result values, start/end-only wildcards, approximate counts only for the most widespread indicators, and no log-ID origins in usage results.
This will be rolling out to every datacenter this week. If you have questions or concerns let us know.