Normalized Event Filters
Filter out events after they're parsed by a log schema
Last updated
Filter out events after they're parsed by a log schema
Last updated
Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.
Normalized event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.
Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.
Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.
If you create multiple (inclusion or exclusion) normalized event filters, there is no guarantee of the order they will run in. Because of this, if you are creating multiple OR expressions for inclusion, it's recommended to package them within the same filter. If you instead create multiple separate inclusion filters, events you intend to include could be dropped if another filter that is evaluated first does not include them.
To create a normalized event filter:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
On the right-hand side of the Normalized Events Filters tile, click Add Filter.
A new filter form will be expanded. Configure the filter:
(Optional) Click the pencil icon () to edit the filter's name.
In the Log Type dropdown, select the log type this filter should apply to.
In the Condition dropdown, make a selection:
Exclude if: Choose this if you'd like to create an exclusion filter.
Include if: Choose this if you'd like to create an inclusion filter.
Click Add Filter, then configure the filter:
Select an event field from the dropdown. Only fields of the selected log type are shown.
Select an operator (also known as a condition) from the dropdown menu.
The dropdown options will be limited to those applicable to the selected field's data type. See Supported field types and operators, below.
Enter a value, if the selected operator requires one.
If you would like to create another filter expression:
To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
To create an OR filter, click + Add OR Condition.
In the upper-right corner, click Save.
After an ingestion filter has been created, you can enable or disable it:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to enable or disable a filter on.
Click the Filters tab.
You can configure filters on event fields with data types in the "Field data type" column. The operators listed in the "Supported operators" column are a subset of the Search tool's supported operators.
string
is / is not
is / is not empty (not the same as "is /is not null")
is / not in list
has / does not have substring
is / is not null
is within CIDR
boolean
is true / is false
is / is not null
number
(int, bigint, smallint, float)
equals / does not equal
is greater than / less than
is greater than or equal to
is less than or equal to
is / is not null
timestamp
is before / is after
is / is not null
array
Filtering is supported only for arrays of primitive types
has / does not have
is / is not null
object
Filtering on nested fields is supported
contains / does not contain
is / is not null
json
Filtering on nested fields is not supported, but you can use the contains condition
JSON-type fields will display as object in the Normalized Filter UI.
contains / does not contain
is / is not null
Locate the filter you'd like to enable or disable, and set its toggle to Enabled or Disabled.
