Can I use multiple Panther indicators for a single field in a schema?

QUESTION

Can I use multiple Panther indicators for a single field in a schema, and if yes, what will be the correct format?

ANSWER

Yes, it is possible to use multiple indicators in a single field.

Both formats below can be used:

- name: my_value
      required: true
      type: string
      indicators: [domain, hostname]

- name: my_value
      required: true
      type: string
      indicators:
               - domain
               - hostname

In the example above with the domain and hostname indicators, the actual value will define whether it will be stored as p_any_domain_names or p_any_ip_addresses or in both fields.

The Panther indicators table explains how each value matches each indicator.

 

For example, hostname matches p_any_domain_names and p_any_ip_addresses, while domain matches only p_any_domain_names 

As a result,

•  If the value is an IP 22.22.22.1 this will generate both p_any_domain_names and p_any_ip_addresses
•  If the value is a domain www.test.com this will generate only p_any_domain_names

Schema example:

version: 0
fields:
- name: my_value
      required: true
      type: string
      indicators: [domain, hostname]
- name: my_second_value
      required: true
      type: string
      indicators:
               - domain
               - hostname

JSON test log file:

{ "my_value": "22.22.22.1", "my_second_value":"test.com"}