How can I prevent specific raw event fields from being ingested into Panther?
The most effective method to prevent specific raw event fields from being ingested in Panther is to use masking in your schema.
For example:
- name: <field name>
type: string
mask:
type: redact
to: ""
This approach allows you to efficiently ignore the fields you don't need, while still maintaining the use of the field discovery feature.