How does the "validate" attribute work in Panther custom schemas?


 When running schema validation on a log that includes a value in the deny list of a field, this field should not get filled in.

  • If the field is required, then the schema will be disqualified for processing with this schema. (Classification Failure occurs if no other log type matches.)
  • If this is not a required field, then the field will just not get filled in. (No Classification Failure.)

Schema #1

# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
  type: string
    allow: [ "login", "logout"]

Schema #2

# Will match any event type other than 'login' and 'logout'
- name: event_type
  type: string
    deny: [ "login", "logout"]

In this first example, neither field is required in its schema, but if the value of event_type is ‘login’ then if the event meets the requirements to process with Schema #1 (all required fields are present and type-matched) the event_type field will be filled in as well because that value is on the allowlist. If instead, the event meets the requirements to process with Schema #2, the event_type field will not be filled in because the value ‘login’ is on the deny list. Let’s change them to be required fields:

Schema #1

# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
  type: string
  required: true
    allow: [ "login", "logout"]

Schema #2

# Will match any event type other than 'login' and 'logout'
- name: event_type
  type: string
  required: true
    deny: [ "login", "logout"]

In this example, event_type is a required field for an event to contain in order to be processed by either of these schemas. If an event comes in with event_type ‘login’, Schema #1 will meet the requirements and process fine, assuming other requirements are also met.

If the same event comes in with a log source that only contains a log type with Schema #2, then the event will trigger a classification failure because the required field event_type, the value of which cannot be either ‘login’ or ‘logout’, did not exist.

In this second example, if both log types for these schemas exist within a log source, then the requirements will be mutually exclusive and will only match with Schema #1's log type.