Ingestion Filters
Drop incoming data either before or after it's parsed by a schema
Overview
Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther.
Filtered-out events will not pass through detections, nor be stored in the data lake for later querying. After your filters have been configured, you can monitor filtered event volume.
Types of ingestion filters
Raw vs. normalized event filters
There are two types of ingestion filters in Panther:
Raw event filters: Applied on data before it is parsed by a log schema
Learn more on Raw Event Filters.
Normalized event filters: Applied on data after it has been parsed by a log schema
Learn more on Normalized Event Filters.
If multiple raw or normalized filters are defined for a log source, there is no guarantee of the order they will run in.
Inclusion vs. exclusion filters
Both raw and normalized event filters can be created as inclusion or exclusion filters.
Inclusion filters: Events that match the filter will be ingested (so long as they are not dropped by another filter). Events that do not match the filter will be dropped.
Exclusion filters: Events that match the filter will be dropped. Events that do not match the filter will be ingested (so long as they are not dropped by another filter).
Last updated