Log Schema Reference

In this guide, you will find common fields used to build YAML-based schemas when onboarding Custom Log Types and Lookup Table schemas.

LogSchema fields

Each log schema contains the following fields:

• fields ([]FieldSchema)

  • The fields in each Log Event.

• parser (ParserSpec)

  • Define a parser that will convert non-JSON logs to JSON.

CI/CD schema fields

Additionally, schemas defined using a CI/CD workflow can contain the following fields:

• schema (string)

  • The name of the schema

• description (string)

  • A short description that will appear in the UI

• referenceURL (string)

  • A link to an external document which specifies the log structure. Often, this is a link to a 3rd party's documentation.

• fieldDiscoveryEnabled (boolean)

  • Indicates whether field discovery will be enabled for this schema or not.

Example

The example below contains the CI/CD fields mentioned above.

schema: Custom.MySchema
description: (Optional) A handy description so I know what the schema is for.
referenceURL: (Optional) A link to some documentation on the logs this schema is for.
fieldDiscoveryEnabled: true
parser:
  csv:
    delimiter: ','
    hasHeader: true
fields:
- name: action
  type: string
  required: true
- name: time
  type: timestamp
  timeFormats:
    - unix

ParserSpec

A ParserSpec specifies a parser to use to convert non-JSON input to JSON. Only one of the following fields can be specified:

• fastmatch (FastmatchParser{}): Use fastmatch parser

• regex (RegexParser{}): Use regex parser

• csv (CSVParser{}): Use csv parser

  • Note: The columns field is required when there are multiple CSV schemas in the same log source.

See the fields for fastmatch, regex, and csv in the tabs below.

FieldSchema

A FieldSchema defines a field and its value. The field is defined by:

• name (string)

  • The name of the field.

• required (boolean)

  • If the field is required or not.

• description (string)

  • Some text documenting the field.

• copy (object)

  • If present, the field's value will be copied from the referenced object.

• rename (object)

  • If present, the field's name will be changed.

• concat (object)

  • If present, the field's value will be the combination of the values of two or more other fields.

• split (object)

  • If present, the field's value will be extracted from another string field by splitting it based on a separator.

• mask (object)

  • If present, the field's value will be masked.

Its value is defined using the fields of a ValueSchema.

ValueSchema

A ValueSchema defines a value and how it should be processed. Each ValueSchema has a type field that can be of the following values:

The fields of a ValueSchema depend on the value of the type.

Timestamps

Timestamps are defined by setting the type field to timestamp and specifying the timestamp format using the timeFormats field. Timestamp formats can be any of the built-in timestamp formats:

Defining a custom format

You can also define a custom format by using strftime notation. For example:

# The field is a timestmap using a custom timestamp format like "2020-09-14 14:29:21"
- name: ts
  type: timestamp
  timeFormats:
    - "%Y-%m-%d %H:%M:%S" # note the quotes required for proper YAML syntax

Panther's strftime format supports using %N code to parse nanoseconds. For example:

%H:%M:%S.%N can be used to parse 11:12:13.123456789

Using multiple time formats

When multiple time formats are defined, each of them will be tried sequentially until successful parsing is achieved:

- name: ts
  type: timestamp
  timeFormats:
    - rfc3339
    - unix

Timestamp values can be marked with isEventTime: true to tell Panther that it should use this timestamp as the p_event_time field. It is possible to set isEventTime on multiple fields. This covers the cases where some logs have optional or mutually exclusive fields holding event time information. Since there can only be a single p_event_time for every Log Event, the priority is defined using the order of fields in the schema.

Schema test cases that are used with the pantherlog test command must define the time field value in theresult payload formatted as YYYY-MM-DD HH:MM:SS.fffffffff. For backwards compatibility reasons, single time format configurations will retain the same format.

Example:

- name: singleFormatTimestamp
  type: timestamp
  timeFormats:
    - unix

input: >
  {
    "singleFormatTimestamp": "1666613239"
  }
result: >
  {
    "singleFormatTimestamp": "1666613239"
  }

When multiple time formats are defined:

- name: multipleFormatTimestamp
  type: timestamp
  timeFormats:
    - unix
    - rfc3339

input: >
  {
    "multipleFormatTimestamp": "1666613239"
  }
result: >
  {
    "multipleFormatTimestamp": "2022-10-24 12:07:19.459326000"
  }

Note on Lookup Table timestamp values

Timestamp values in Lookup Table schemas can also be marked with isExpiration: true. This is used to tell the Panther Rules Engine to ignore new data if the current time is after this timestamp. These can be useful to "time bound" alerts to independent indicators of compromise (IOCs) added via Lookup Tables, which make for richer alert context.

Indicators

Values of string type can be used as indicators. To mark a field as an indicator, set the indicators field to an array of indicator scanner names (more than one may be used). This will instruct Panther to parse the string and store any indicator values it finds to the relevant p_any_ field. For a list of values that are valid to use in the indicators field, see Standard Fields.

For example:

# Will scan the value as IP address and store it to `p_any_ip_addresses`
- name: remote_ip
  type: string
  indicators: [ ip ]

# Will scan the value as a domain name and/or IP address.
# Will store the result in `p_any_domain_names` and/or `p_any_ip_addresses`
- name: target_url
  type: string
  indicators: [ url ]

Validation - Allow/Deny lists

Values of string type can be further restricted by declaring a list of values to allow or deny. This allows to have different log types that have common overlapping fields but differ on values of those fields.

# Will only allow 'login' and 'logout' event types to match this log type
- name: event_type
  type: string
  validate:
    allow: [ "login", "logout"]
    
# Will match any event type other than 'login' and 'logout'
- name: event_type
  type: string
  validate:
    deny: [ "login", "logout"]

Validation by string type

Values of string type can be restricted to match well-known formats. Currently, Panther supports the ip and cidr formats to require that a string value be a valid IP address or CIDR range. Note that the ip and cidr validation types can be combined with allow or deny rules but it is somewhat redundant, for example, if you allow two IP addresses, then adding an ip validation will simply ensure that your validation will not include false positives if the IP addresses in your list are not valid.

# Will allow valid ipv4 IP addresses e.g. 100.100.100.100
- name: address
  type: string
  validate:
    ip: "ipv4"
    
# Will allow valid ipv6 CIDR ranges 
# e.g. 2001:0db8:85a3:0000:0000:0000:0000:0000/64
- name: address
  type: string
  validate:
    cidr: "ipv6"
    
# Will allow any valid ipv4 or ipv6 address
- name: address
  type: string
  validate:
    ip: "any"    

Using JSON Schema in an IDE

If your editor or IDE supports JSON Schema, you can download the JSON Schema file for validation and auto-completion by clicking this link.

JetBrains custom JSON schemas

See the JetBrains documentation for instructions on how to configure JetBrains IDEs to use custom JSON Schemas.

VSCode customer JSON schemas

See the VSCode documentation for instructions on how to configure VSCode to use JSON Schemas.

Stream type

While performing certain actions in the Panther Console, such as configuring an S3 bucket for Data Transport or inferring a custom schema from raw logs, you need to select a log stream type.

View example log events for each type below.