How does the "validate" attribute work in Panther custom schemas?

QUESTION

How do I use the validate feature in schemas in Panther?

ANSWER

When running schema validation on a log that includes a value in the deny list of a field, this field should not get filled in.

If the field is required, then the schema will be disqualified for processing with this schema. (Classification Failure occurs if no other log type matches.)
If this is not a required field, then the field will just not get filled in. (No Classification Failure.)

Example

Schema #1

# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
  type: string
  validate:
    allow: [ "login", "logout"]

Schema #2

# Will match any event type other than 'login' and 'logout'
- name: event_type
  type: string
  validate:
    deny: [ "login", "logout"]

In this first example, neither field is required in its schema, but if the value of event_type is ‘login’ then if the event meets the requirements to process with Schema #1 (all required fields are present and type-matched) the event_type field will be filled in as well because that value is on the allowlist. If instead, the event meets the requirements to process with Schema #2, the event_type field will not be filled in because the value ‘login’ is on the deny list. Let’s change them to be required fields:

Schema #1

# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
  type: string
  required: true
  validate:
    allow: [ "login", "logout"]

Schema #2

# Will match any event type other than 'login' and 'logout'
- name: event_type
  type: string
  required: true
  validate:
    deny: [ "login", "logout"]

In this example, event_type is a required field for an event to contain in order to be processed by either of these schemas. If an event comes in with event_type ‘login’, Schema #1 will meet the requirements and process fine, assuming other requirements are also met.

If the same event comes in with a log source that only contains a log type with Schema #2, then the event will trigger a classification failure because the required field event_type, the value of which cannot be either ‘login’ or ‘logout’, did not exist.

In this second example, if both log types for these schemas exist within a log source, then the requirements will be mutually exclusive and will only match with Schema #1's log type.

One thing to keep in mind is that when working with fields that have the array type, the validate attribute should be applied on each nested string element inside the array and not at the top level. This is demonstrated in the example below:

fields:
  - name: array_of_fields
    required: true
    type: array
    element:
      type: string
      validate:
        allow:
          - value1
          - value2
          - value3