Ingestion Filters

Drop incoming data either before or after it's parsed by a schema

Overview

Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther.

Filtered-out events will not pass through detections, nor be stored in the data lake for later querying. After your filters have been configured, you can monitor filtered event volume.

Types of ingestion filters

There are two types of ingestion filters in Panther:

Raw event filters: Applied on data before it is parsed by a log schema
- Learn more on Raw Event Filters.
Normalized event filters: Applied on data after it has been parsed by a log schema
- Learn more on Normalized Event Filters.

PreviousMonitoring Log Sources NextRaw Event Filters

Last updated 1 month ago