How to resolve "PantherError: a data model hasn't been specified for this log type".

Last updated
Save as PDF

Issue

One or more of your detections are erroring out, with the error message:

PantherError("a data model hasn't been specified for log type", '<A_LOG_TYPE>')

Resolution

To resolve this error:

In the Panther Console, navigate to Build > Data Models.
Configure the filters to display only models for the chosen log type, such as AWS.CloudTrail or Okta.Systemlog.
- If a model exists, but is disabled, enable it.
- If no model exists, create one. You can reference our specifications for custom data models for guidance.

Note that some data models are managed by Panther Packs, meaning they can be automatically enabled or disabled according to the whether the pack is enabled or not.

Cause

This can happen if your detection code utilized a helper function which requires a data model to be defined. When Panther attempts to locate the data model for the event, it fails, because there is no data model or it is disabled. Creating or enabling the data model resolves this issue.