1/23/25: Upcoming Lookup Table Selector validation update

Hi team,

We will be deploying a patch version of Panther the week of February 10th, 2025 that introduces validation on Lookup Table Selector values, checking that their JSON paths match a field in the associated Lookup Table schema. This validation will help ensure that incoming logs are properly enriched. 

Previously, panther-analysis contained incorrect JSON paths for a small number of Lookup Table Selectors. A fix (visible in this pull request) was included in v3.70.0. To make sure you are using the updated Selectors in panther-analysis, as well as avoiding validation errors for your own custom Lookup Tables, please take the following steps:

• If you upload detection content (that is a fork or clone of panther-analysis) to Panther using Panther Analysis Tool (PAT) or the Bulk Uploader in the Console, please update to panther-analysis version 3.70.0 or higher.

• If you use IPinfo or Tor Exit Nodes Lookup Tables and manage them in the Console, please update their Detection Packs to version 3.70.0 or higher. These Packs are named "IPInfo" and "Tor Lookup Tables" respectively. In general, it’s recommended to keep all packs updated to the latest version.

• If you have any Custom Lookup Tables, please ensure their Selector values each perfectly match a field in the associated schema.
  

After you receive the aforementioned patch, if you meet any of the above criteria but have not made the necessary changes, you will receive an error similar to The selector $.spec.clusterIP failed validation: JSON path '.spec.clusterIP': schema does not contain spec. in the Panther Console and/or when attempting to upload detection content to Panther with PAT.

If you have any questions or concerns, please reach out to the Support team!