Can you have two different fields going to the same Data Model field in Panther?

Last updated: September 3, 2024

QUESTION

Can you have two different fields going to the same detection Data Model field? Note that this is distinct from the Core Field Unified Data Model feature.

Example:

Mappings:
  - Name: actor_user
    Path: user
  - Name: actor_user
    Path: actor

ANSWER

While it is possible to have two different fields going to the same UDM field, it is not recommended; the last declared field value will overwrite the other's value.

8b2ccfcf-27ea-4081-90ae-ff59bea1f9d6.png

In the example above, user's value will be replaced by actor's value.