QUESTION

 Why doesn’t Panther store native schema yml files in the panther-analysis repository?

ANSWER

Those files were originally provided for reference, and we have since stopped adding new native schema files to that repository. The native Panther schemas are not intended to be managed from the repository.

If you'd like to perform any modifications on a native schema, you can use your Panther Console, navigate to the schema, and click on "Clone". Following that, you'll be prompted to perform your updates on the cloned version of the native schema.

If your workflow is based on CI/CD, you can create a new schema file in your forked Panther repo and upload it via CI/CD. One thing to note here is that the custom schema name should start with the Custom. prefix. The PAT command for that purpose is update-custom-schemas. You can find more details about the process in the section Uploading log schemas with the Panther Analysis Tool of our documentation.