Ingestion Filters

Drop incoming data either before or after it's parsed by a schema

Overview

Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther.

Filtered-out events will not pass through detections, nor be stored in the data lake for later querying. After your filters have been configured, you can monitor filtered event volume.

Types of ingestion filters

Raw vs. normalized event filters

There are two types of ingestion filters in Panther:

  • Raw event filters: Applied on data before it is parsed by a log schema

  • Normalized event filters: Applied on data after it has been parsed by a log schema

If multiple raw or normalized filters are defined for a log source, there is no guarantee of the order they will run in.

Inclusion vs. exclusion filters

Both raw and normalized event filters can be created as inclusion or exclusion filters.

  • Inclusion filters: Events that match the filter will be ingested (so long as they are not dropped by another filter). Events that do not match the filter will be dropped.

  • Exclusion filters: Events that match the filter will be dropped. Events that do not match the filter will be ingested (so long as they are not dropped by another filter).

Last updated