Normalized Event Filters

Filter out events after they're parsed by a log schema


Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Normalized event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.

If you create multiple (inclusion or exclusion) normalized event filters, there is no guarantee of the order they will run in. Because of this, if you are creating multiple OR expressions for inclusion, it's recommended to package them within the same filter. If you instead create multiple separate inclusion filters, events you intend to include could be dropped if another filter that is evaluated first does not include them.

How to create a normalized event filter

To create a normalized event filter:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click the name of the log source you'd like to add a filter to.

  3. Click the Filters tab.

  4. On the right-hand side of the Normalized Events Filters tile, click Add Filter.

  5. A new filter form will be expanded. Configure the filter:

    1. In the Log Type dropdown, select the log type this filter should apply to.

    2. In the Condition dropdown, make a selection:

    3. Click Add Filter, then configure the filter:

      1. Select an event field from the dropdown. Only fields of the selected log type are shown.

      2. Select an operator (also known as a condition) from the dropdown menu.

      3. Enter a value, if the selected operator requires one.

      4. If you would like to create another filter expression:

        • To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.

          • To create an OR filter, click + Add OR Condition.

    4. In the upper-right corner, click Save.

Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click the name of the log source you'd like to enable or disable a filter on.

  3. Click the Filters tab.

Viewing filtered event metrics

Supported field types and operators

You can configure filters on event fields with data types in the "Field data type" column. The operators listed in the "Supported operators" column are a subset of the Search tool's supported operators.

Field data typeNotesSupported operators


  • is / is not

  • is / is not empty (not the same as "is /is not null")

  • is / not in list

  • has / does not have substring

  • is / is not null


  • is true / is false

  • is / is not null

number (int, bigint, smallint, float)

  • equals / does not equal

  • is greater than / less than

  • is greater than or equal to

  • is less than or equal to

  • is / is not null


  • is before / is after

  • is / is not null


Filtering is supported only for arrays of primitive types

  • has / does not have

  • is / is not null


Filtering on nested fields is supported

  • contains / does not contain

  • is / is not null


Filtering on nested fields is not supported, but you can use the contains condition JSON-type fields will display as object in the Normalized Filter UI.

  • contains / does not contain

  • is / is not null

Last updated