What's the difference between p_udm and event.udm in Panther?

Last updated: September 3, 2024

QUESTION

What's the difference between p_udm and event.udm in Panther?

ANSWER

Both of these refer to unified data models. They may not necessarily refer to one single model that unifies all data everywhere, because it's possible to define your own data models in Panther.

To access a Core Field in a Python detection, you would use event.deep_get("p_udm", ...).

To access a Data Model for detections field, you would use event.udm(...).

For more information about Core Fields and Data Models for detections, see our documentation here.