Custom.prefix in their name and can be used wherever a 'native' Log Type is used:
Custom.SampleAPI) and write or paste your YAML Log Schema definition. Use the 'Validate Syntax' button at the bottom to verify your schema contains no errors and hit 'Save'.
Note that the 'Validate Syntax' button only checks the syntax of the Log Schema. 'Save' might still fail due to name conflicts.
Custom.SampleAPI_Log Type. Once Panther receives events from this Source, it will and process the logs and store the Log Events to the
custom_sampleapitable. You can now write Rules to match against these logs and query them using the Data Explorer.
parserconfiguration to fix bugs or add new patterns.
typeof an existing field (this includes the element type for
parserfield of the Log Schema. Panther provides the following parsers for non-JSON formatted logs:
pantherlogand an executable for each platform is provided with the release. The executables can be downloaded from the
panther-communityS3 bucket, see more details on the operations help page.
sample_logs.jsonland output to
WARNING: The tool has the following limitations:
- It will identify a string as a timestamp, only if the string is in RFC3339 format. Make sure to review the schema after it is generated by the tooland identify fields that should be of type
- It will not mark any timestamp field as
isEventTime:true. Make sure to select the appropriate
timestampfield and mark it as
isEventTime:true.For more information regarding
- It is able to infer only 3 types of indicators:
url. Make sure to review the fields and add more indicators as appropriate.Make sure to review the schema generated and edit it appropriately before deploying to your production environment!
stdoutand errors to
sample_logs.jsonlwith the log schema in
stdinso it can be used in a pipeline:
schema_tests.ymlfile for a custom schema defined in