Are lookups for event fields case sensitive in Panther?
No, they are not case sensitive. event.get("Event_Type") and event.get("event_type") will return the same result.
This is because Panther effectively defines its own version of .get(), though it’s inherited rather than overridden. This behavior happens because the object passed into Panther rules isn’t a standard Python dict. It’s a PantherEvent, which inherits from a custom class we created called ImmutableCaseInsensitiveDict. Some of the key differences:
Case-insensitive keys – .get() (and all key lookups) are case-insensitive, so "Event_Type" and "event_type" are treated the same.
Immutability – you cannot modify any fields in the event.
The reasoning behind the case-insensitivity is to align with Panther’s ingestion and search engines, which are themselves case-insensitive. And the reason behind it being immutable is to ensure the event remains consistent across rules.