Normalized Event Filters

Filter out events after they're parsed by a log schema

Overview

Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Normalized event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.

If you create multiple (inclusion or exclusion) normalized event filters, there is no guarantee of the order they will run in. Because of this, if you are creating multiple OR expressions for inclusion, it's recommended to package them within the same filter. If you instead create multiple separate inclusion filters, events you intend to include could be dropped if another filter that is evaluated first does not include them.

How to create a normalized event filter

To create a normalized event filter:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
On the right-hand side of the Normalized Events Filters tile, click Add Filter.
A new filter form will be expanded. Configure the filter:
1. (Optional) Click the pencil icon () to edit the filter's name.
2. In the Log Type dropdown, select the log type this filter should apply to.
3. In the Condition dropdown, make a selection:
  - Exclude if: Choose this if you'd like to create an exclusion filter.
  - Include if: Choose this if you'd like to create an inclusion filter.
4. Click Add Filter, then configure the filter:
  1. Select an event field from the dropdown. Only fields of the selected log type are shown.
  2. Select an operator (also known as a condition) from the dropdown menu.
    The dropdown options will be limited to those applicable to the selected field's data type. See Supported field types and operators, below.
  3. Enter a value, if the selected operator requires one.
  4. If you would like to create another filter expression:
    To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    To create an OR filter, click + Add OR Condition.
5. In the upper-right corner, click Save.

Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to enable or disable a filter on.
Click the Filters tab.
Locate the filter you'd like to enable or disable, and set its toggle to Enabled or Disabled.

Viewing filtered event metrics

See Viewing filtered event volume.

Supported field types and operators

You can configure filters on event fields with data types in the "Field data type" column. The operators listed in the "Supported operators" column are a subset of the Search tool's supported operators.

Field data type Notes Supported operators

Field data type	Notes	Supported operators
`string`		is / is not is / is not empty (not the same as "is /is not `null`") is / not in list has / does not have substring is / is not `null`
`boolean`		is true / is false is / is not `null`
`number` (`int`, `bigint`, `smallint`, `float`)		equals / does not equal is greater than / less than is greater than or equal to is less than or equal to is / is not `null`
`timestamp`		is before / is after is / is not `null`
`array`	Filtering is supported only for arrays of primitive types	has / does not have is / is not `null`
`object`	Filtering on nested fields is supported	contains / does not contain is / is not `null`
`json`	Filtering on nested fields is not supported, but you can use the `contains` condition JSON-type fields will display as `object` in the Normalized Filter UI.	contains / does not contain is / is not `null`

string

is / is not
is / is not empty (not the same as "is /is not null")
is / not in list
has / does not have substring
is / is not null

boolean

is true / is false
is / is not null

number (int, bigint, smallint, float)

equals / does not equal
is greater than / less than
is greater than or equal to
is less than or equal to
is / is not null

timestamp

is before / is after
is / is not null

array

Filtering is supported only for arrays of primitive types

has / does not have
is / is not null

object

Filtering on nested fields is supported

contains / does not contain
is / is not null

json

Filtering on nested fields is not supported, but you can use the contains condition JSON-type fields will display as object in the Normalized Filter UI.

contains / does not contain
is / is not null

PreviousRaw Event Filters NextData Pipeline Tools

Last updated 1 month ago