How does Panther match custom schemas if multiple schemas are used?

Last updated
Save as PDF

QUESTION

How does Panther match custom schemas if multiple schemas are used? What are the best practices when using multiple schemas when matching against logs?

ANSWER

How Panther matches schemas:

The order in which a schema match is performed is random.

For an example of the schema ordering process when a file comes through:

On the first line, we try the schema randomly.
If not matched (Failure):
We try again randomly.
In this example, the second schema Matched (Success).
Second line: We will try the second schema first (the one matched).

On the next file, we will try again the schemas randomly.

Best practices when using multiple schemas when matching against logs

Use Prefix Filters.
If you can't use Prefix Filters, use validate allow options.
Use required: true on unique fields (make sure they are in every event).