How does Panther match schemas if multiple schemas are used? What are the best practices when using multiple schemas when matching against logs?
How Panther matches schemas:
The order in which a schema match is performed is random.
For an example of the schema ordering process when a file comes through:
On the first line, we try the schema randomly.
If not matched (Failure):
We try again randomly.
In this example, the second schema Matched (Success).
Second line: We will try the second schema first (the one matched).
On the next file, we will try again the schemas randomly.
Best practices when using multiple schemas when matching against logs
Use Prefix Filters.
If you can't use Prefix Filters, use validate allow options.
Use required: true on unique fields (make sure they are in every event).
Use validation allow/deny for values of string to restrict further by declaring a list of values to allow or deny. This allows different log types to have common overlapping fields but differ on values of those fields.