Why is PAT showing the error "LOG_TYPE_REGEX does not match '...'" or "LOG_TYPE_REGEX(\\.[A-Z][A-Za-z0-9]*){0,5})$')) did not validate 'Github.Audit'"?

ISSUE

Panther Analysis Tool (PAT) is showing an error similar to the following,

LOG_TYPE_REGEX does not match 'Your.Log.Type'

where Your.Log.Type is the log type of one of your detections.

Another similar error that you might run into is Key 'LogTypes' error: LOG_TYPE_REGEX(\\.[A-Z][A-Za-z0-9]*){0,5})$')) did not validate 'Github.Audit'.

RESOLUTION

To troubleshoot, first verify that your Panther Analysis Tool is up to date. Older versions of PAT may not support certain log types. Our documentation contains information on how to update PAT. Please ensure that you check and update PAT in your local machine, as well as GitHub Action if that is part of your workflow.

If updating does not resolve your issue, or your PAT client is already up-to-date, please ensure that the log type in your YAML file has been spelled correctly. Improper names can also raise this issue. For example, if you run into the above error about the log type GitHub.Audit, please ensure that in all rule files (.yml), you use "GitHub" with a capital "H" in LogTypes declarations:

LogTypes:
- GitHub.Audit

This matches the required format for GitHub-related log types in Panther and will prevent pipeline validation failures.

CAUSE

When PAT encounters an unfamiliar log type, it raises the above error.

Often, this is due to PAT being out of date. When Panther adds support for a new log type, it's important to keep your CI/CD tools (like PAT and pantherlog) updated. Without updating those tools, they will not be able to recognize the new log types as valid, resulting in the error shown above.

It can also be caused if the spelling of the log type is not identical to what Panther expects. For example, using "Github" (with lowercase "h") will trigger validation errors during the pipeline checks.