QUESTION

How can I prevent specific raw event fields from being ingested into Panther?

ANSWER

The most effective method to prevent specific raw event fields from being ingested in Panther is to use masking in your schema.

For example:

- name: <field name>
  type: string
  mask:
    type: redact
    to: ""

This approach allows you to efficiently ignore the fields you don't need, while still maintaining the use of the field discovery feature.