Check Schema
Synopsis
Validates event data against ASIM (Advanced Security Information Model) or OCSF (Open Cybersecurity Schema Framework) schema definitions, detecting schema drift by identifying missing fields, extra fields, and type mismatches.
Schema
- check_schema:
schema: <string>
target_field: <string>
check_mode: <string>
validate_recommended: <boolean>
validate_optional: <boolean>
on_missing: <processor[]>
on_extra: <processor[]>
on_type_mismatch: <processor[]>
description: <text>
if: <script>
ignore_failure: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
tag: <string>
Configuration
| Field | Required | Default | Description |
|---|---|---|---|
schema | Y | - | Schema name to validate against (e.g., ASimNetworkSessionLogs, ASimAuthenticationEventLogs) |
target_field | Y | - | Field name to store validation results |
check_mode | N | both | Validation mode: missing, extra, or both |
validate_recommended | N | false | Include recommended fields in validity check |
validate_optional | N | false | Include optional fields in validity check |
on_missing | N | - | Processors to execute when missing fields are detected |
on_extra | N | - | Processors to execute when extra fields are detected |
on_type_mismatch | N | - | Processors to execute when type mismatches are detected |
description | N | - | Explanatory note |
if | N | - | Condition to run |
ignore_failure | N | false | See Handling Failures |
on_failure | N | - | See Handling Failures |
on_success | N | - | See Handling Success |
tag | N | - | Identifier |
Details
The check_schema processor validates events against official schema definitions, detecting schema drift that occurs when vendor log formats change unexpectedly. It supports Microsoft Sentinel's ASIM schemas and OCSF schemas.
Validation Result Structure: Results are written to the target_field as a structured object:
{
"is_valid": false,
"missing_required_fields": ["EventSchema", "EventVendor"],
"missing_recommended_fields": ["DvcAction", "EventSeverity"],
"missing_optional_fields": ["SrcNatIpAddr"],
"extra_fields": ["CustomField1"],
"type_mismatches": [
{
"field": "EventCount",
"expected_type": "INT32",
"actual_type": "STRING"
}
]
}
Validation Levels:
- Required fields: Always checked when
check_modeincludesmissing. Missing required fields makeis_validfalse. - Recommended fields: Reported but don't affect validity unless
validate_recommended: true. - Optional fields: Reported but don't affect validity unless
validate_optional: true. - Extra fields: Detected when
check_modeincludesextra. Never affect validity (informational only). - Type mismatches: Checked for present fields. Impact follows the field's requirement level.
Check Modes:
missing: Only detect missing fieldsextra: Only detect extra fields not in schemaboth: Detect both missing and extra fields
Metadata Fields: Fields prefixed with @ (like @timestamp, @metadata) are automatically ignored during validation.
For integration patterns, see Schema Drift Detection and Multi-Tier Pipelines.
Examples
Basic ASIM Validation
Validating network session event against ASIM schema... | |
All required fields present, validation passes... | |
Detecting Missing Fields
Event missing required fields triggers validation failure... | |
Missing required fields listed in result... | |
Detecting Extra Fields
Detecting fields not defined in schema... | |
Extra fields detected but don't affect validity... | |
Conditional Processing Chains
Triggering alerts when schema drift is detected... | |
Conditional chains execute based on drift type... | |
Strict Validation
Including recommended fields in validity check... | |
Missing recommended fields now affect validity... | |