Raw Event Filters

Filter out events before they're parsed by a log schema

Overview

Raw event filters let you define conditions under which to filter out ingested events. They act on raw data before it is parsed by a log schema, and can be defined using regex expressions or substrings patterns.

Raw event filters can be created as either inclusion or exclusion filters. Learn about the difference between inclusion and exclusion filters here.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

If you create multiple (inclusion or exclusion) raw event filters, there is no guarantee of the order they will run in. Take special note of this when creating multiple inclusion filters. Due to filters running in a random order, events you intend to include could be dropped if another filter that is evaluated first does not include them.

Types of raw event filters

There are currently two types of filters:

Regex filters: Events that match the regex expression will be dropped.
- Regex filters use Google's RE2 engine.
Substring filters: Events that include the pattern at least once will be dropped.

How to create a raw event filter

Raw event filters are applied on unparsed events—not normalized events, like those visible in the data lake. Ensure you are constructing filters based on raw data. Basing a raw data filter on normalized data could cause false positives and unintentionally dropped data.

To create a filter for parsed events instead, see Normalized Event Filters.

To create a raw event filter:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
On the right-hand side of the Raw Event Filters tile, click Add Filter.
In the new filter form that is expanded, configure the filter:
1. (Optional) Click the pencil icon () to edit the filter's name.
2. In the Condition dropdown, make a selection:
  - Exclude if: Choose this if you'd like to create an exclusion filter.
  - Include if: Choose this if you'd like to create an inclusion filter.
3. Click + to add a condition.
4. Click Condition, and select one of the options below. Learn more about the different ways to construct conditions in Types of raw event filters.
  - Matches Regex
  - Contains
5. If you selected the Matches Regex condition, enter a regular expression. If you selected the Contains condition, enter a string value.
6. In the Quick Test section, enter a raw event to test against the filter you just created.
  - You can click View raw data to see raw events received by the source. To the right of an event, click Test event to populate the Raw Event field in Quick Test with the event.
7. Click Run Test.
  - Notice whether the test event matches the pattern.
8. The filter is enabled by default. If you would like to disable it, click the Enabled toggle.
In the upper-right corner, click Save.

Enabling or disabling a raw event filter

After an ingestion filter has been created, you can enable or disable it:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to enable or disable a filter on.
Click the Filters tab.
Locate the filter you'd like to enable or disable, and set its toggle to Enabled or Disabled.

Viewing filtered event metrics

See Viewing filtered event volume.

PreviousIngestion Filters NextNormalized Event Filters

Last updated 1 month ago