How do I use the validate
feature in schemas in Panther?
When running schema validation on a log that includes a value in the deny list of a field, this field should not get filled in.
If the field is required
, then the schema will be disqualified for processing with this schema. (Classification Failure occurs if no other log type matches.)
If this is not a required
field, then the field will just not get filled in. (No Classification Failure.)
Schema #1
# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
type: string
validate:
allow: [ "login", "logout"]
Schema #2
# Will match any event type other than 'login' and 'logout'
- name: event_type
type: string
validate:
deny: [ "login", "logout"]
In this first example, neither field is required in its schema, but if the value of event_type
is ‘login’ then if the event meets the requirements to process with Schema #1 (all required fields are present and type-matched) the event_type
field will be filled in as well because that value is on the allowlist. If instead, the event meets the requirements to process with Schema #2, the event_type
field will not be filled in because the value ‘login’ is on the deny list. Let’s change them to be required
fields:
Schema #1
# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
type: string
required: true
validate:
allow: [ "login", "logout"]
Schema #2
# Will match any event type other than 'login' and 'logout'
- name: event_type
type: string
required: true
validate:
deny: [ "login", "logout"]
In this example, event_type
is a required field for an event to contain in order to be processed by either of these schemas. If an event comes in with event_type
‘login’, Schema #1 will meet the requirements and process fine, assuming other requirements are also met.
If the same event comes in with a log source that only contains a log type with Schema #2, then the event will trigger a classification failure because the required field event_type
, the value of which cannot be either ‘login’ or ‘logout’, did not exist.
In this second example, if both log types for these schemas exist within a log source, then the requirements will be mutually exclusive and will only match with Schema #1's log type.