QUESTION

Can I match multiple event keys in Panther correlation rules? That is, in my correlation rule, can I have more than one event key MatchValue to match across events? For example, eventA:field1=eventB:field AND/OR eventA:field2=eventB:field2

ANSWER

No, matching on multiple event keys in correlation rules is not currently supported. However, you may be able to use the following workaround:

1. Create a concatenated field in the alert context of each rule generating a signal like alert_context:concat_field=field1+field2.

2. Match on this new field eventA:concat_field=eventB:concat_field.

If you have interest in this feature, please contact Panther Support.