Can't attach new custom schema to a log source after uploading via the panther_analysis_tool

Issue

When trying to upload custom schemas using the panther_analysis_tool, I can see my new schemas in the Panther Console under Configure > Schemas, but when I'm trying to attach one of my custom schemas to a log source, it doesn't populate when I start typing "Custom".

Resolution

To resolve this issue:

• Check that your schemas include the schema field in your yaml file. (Example)

• Ensure that the schema ID listed in the above schema field includes the following:

  • The ID starts with Custom

  • The ID uses capital letters following period separators '.' (Example: Custom.Mycompany.Custom.Schema)

• Log out and back in to the Panther Console to force a refresh on the auto-complete.

Cause

This issue occurs when either the schema doesn't follow the naming guidelines or the Panther Console has stale data cached for schema auto-complete.