Overview

In Panther version 1.117 (scheduled for deployment the week of 12/1/25), Panther will remove p_udm fields, also known as Core Fields. To prepare for this change, please:

• Remove udm mappings in your custom log schemas

• Remove references to p_udm fields in your detections and Saved/Scheduled Searches

It's likely possible to replicate existing UDM functionality using one of the alternatives below, such as Data Models for detections.

Which Panther components are affected?

Affected:

• p_udm fields: after removal, incoming logs mapped to a custom schema with a udm definition will no longer be augmented with a p_udm object. Saved Searches and detections that reference p_udm fields, then, should no longer be considered reliable.

• event.udm() function: after p_udm fields are removed, this function will return Data Model and event values.

Not affected:

• Data Models for detections

• p_any_ indicator fields

• Identity provider profile enrichment (e.g., Okta)

• event.udm_path() function

Required actions

Before Panther version 1.117 (scheduled for deployment 12/1/25):

• Update to panther_analysis v3.73.0 or later, or update all Packs to v3.37.0 or later.

  • References to p_udm fields were removed in this Pull Request.

• Remove udm definitions in your custom schemas, and references to p_udm fields in your custom detections and Saved/Scheduled Searches.

  • CI/CD users: Search your repository for p_udm and remove or replace with alternatives.

  • Console users: Identify custom detections and searches that use p_udm fields and remove or replace with alternatives.

Alternatives to using p_udm fields

It's likely possible to replicate your existing UDM functionality using one of the following Panther features:

• Data Models

• p_any_ Indicator Fields

• Replacing the p_udm field with an equivalent field from the event

Please let us know if you have any questions!