Knowledge BaseCommunityRelease NotesRequest Demo

Filtering (Beta)

Filter incoming log data

Overview

Filtering is in open beta starting with Panther version 1.78, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Raw event filters allow you to filter your log data ingested into Panther, using regex expressions or substrings patterns. Excluding certain events from ingestion can help improve the hygiene of your data lake, and lower costs.

Types of raw event filters

There are currently two types of filters:

  • Regex filters: Events that match the regex expression will be dropped.

  • Substring filters: Events that include the pattern at least once will be dropped.

In a log event filter, an Exclusion Condition is shown. The filter reads, "Exclude if" and a select box is open, showing two options: "Matches Regex" and "Contains"

Creating a raw event filter

Filters are applied on raw events—not normalized data visible in the data lake, which can differ. Ensure you are constructing filters based on raw data. Basing filters on normalized data could cause false positives and unintentionally dropped data.

To create a raw event filter:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click the name of the log source you'd like to add a filter to.

  3. Click the Filters tab.

  4. Click New Filter.

  5. Provide a value in the Add Filter name or short description field, then click the checkmark to the right of the field to save it.

  6. In the Exclusion Condition section, click the + to the right of Exclude if.

  7. Click Condition, and select one of the options below. Learn more about the difference ways to construct exclusion statements in Types of raw event filters.

    • Matches Regex

    • Contains

  8. If you used the Matches Regex condition, enter a regular expression. If you used the Contains condition, enter a string value.

  9. In the Quick Test section, enter a raw event to test against the filter you just created.

    • You can click View raw data to see raw events received by the source. To the right of an event, click Test event to populate the Raw Event field in Quick Test with the event.

  10. Click Run Test.

    • Notice whether the test event matches the exclusion pattern.

  11. Click Save.

Enabling or disabling a raw event filter

To enable or disable a filter, by clicking on the toggle in the righthand side corner.

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click the name of the log source you'd like to add a filter to.

  3. Click the Filters tab.

  4. On the right-hand side of the tile of the filter you would like to enable or disable, click the toggle next to Enabled.

PreviousMonitoring Log SourcesNextData Pipeline Tools

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated