Normalized Event Filters

Filter out events after they're parsed by a log schema

Overview

Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Normalized event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.

If you create multiple (inclusion or exclusion) normalized event filters, there is no guarantee of the order they will run in. Because of this, if you are creating multiple OR expressions for inclusion, it's recommended to package them within the same filter. If you instead create multiple separate inclusion filters, events you intend to include could be dropped if another filter that is evaluated first does not include them.

How to create a normalized event filter

To create a normalized event filter:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
On the right-hand side of the Normalized Events Filters tile, click Add Filter.
A new filter form will be expanded. Configure the filter:
1. (Optional) Click the pencil icon () to edit the filter's name.
2. In the Log Type dropdown, select the log type this filter should apply to.
3. In the Condition dropdown, make a selection:
  - Exclude if: Choose this if you'd like to create an exclusion filter.
  - Include if: Choose this if you'd like to create an inclusion filter.
4. Click Add Filter, then configure the filter:
  1. Select an event field from the dropdown. Only fields of the selected log type are shown.
  2. Select an operator (also known as a condition) from the dropdown menu.
    The dropdown options will be limited to those applicable to the selected field's data type. See Supported field types and operators, below.
  3. Enter a value, if the selected operator requires one.
  4. If you would like to create another filter expression:
    To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    To create an OR filter, click + Add OR Condition.
5. In the upper-right corner, click Save.

Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to enable or disable a filter on.
Click the Filters tab.

Viewing filtered event metrics

See Viewing filtered event volume.

Supported field types and operators

You can configure filters on event fields with data types in the "Field data type" column. The operators listed in the "Supported operators" column are a subset of the Search tool's supported operators.

PreviousRaw Event Filters NextData Pipeline Tools

Last updated 7 months ago

Overview

Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Normalized event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.

How to create a normalized event filter

To create a normalized event filter:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

Click the name of the log source you'd like to add a filter to.

Click the Filters tab.

On the right-hand side of the Normalized Events Filters tile, click Add Filter.

A new filter form will be expanded. Configure the filter:

(Optional) Click the pencil icon () to edit the filter's name.
In the Log Type dropdown, select the log type this filter should apply to.
In the Condition dropdown, make a selection:
- Exclude if: Choose this if you'd like to create an exclusion filter.
- Include if: Choose this if you'd like to create an inclusion filter.
Click Add Filter, then configure the filter:
1. Select an event field from the dropdown. Only fields of the selected log type are shown.
2. Select an operator (also known as a condition) from the dropdown menu.
  - The dropdown options will be limited to those applicable to the selected field's data type. See Supported field types and operators, below.
3. Enter a value, if the selected operator requires one.
4. If you would like to create another filter expression:
  - To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    To create an OR filter, click + Add OR Condition.
In the upper-right corner, click Save.

Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

Click the name of the log source you'd like to enable or disable a filter on.

Click the Filters tab.

Locate the filter you'd like to enable or disable, and set its toggle to Enabled or Disabled.

Field data type

Notes

Supported operators