Can you have two different fields going to the same Data Model field in Panther?
QUESTION
Can you have two different fields going to the same detection Data Model field? Note that this is distinct from the Core Field Unified Data Model feature.
Example:
Mappings:
- Name: actor_user
Path: user
- Name: actor_user
Path: actor
ANSWER
While it is possible to have two different fields going to the same UDM field, it is not recommended; the last declared field value will overwrite the other's value.
In the example above, user's value will be replaced by actor's value.