Filtering (Beta)

Overview

Raw event filters allow you to filter your log data ingested into Panther, using regex expressions or substrings patterns. Excluding certain events from ingestion can help improve the hygiene of your data lake, and lower costs.

Types of raw event filters

There are currently two types of filters:

• Regex filters: Events that match the regex expression will be dropped.

  • Regex filters use Google's RE2 engine.

• Substring filters: Events that include the pattern at least once will be dropped.

Creating a raw event filter

To create a raw event filter:

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click the name of the log source you'd like to add a filter to.

3. Click the Filters tab.

5. Provide a value in the Add Filter name or short description field, then click the checkmark to the right of the field to save it.

7. Click Condition, and select one of the options below. Learn more about the difference ways to construct exclusion statements in Types of raw event filters.

   • Matches Regex
8. If you used the Matches Regex condition, enter a regular expression. If you used the Contains condition, enter a string value.

9. In the Quick Test section, enter a raw event to test against the filter you just created.
10. Click Run Test.

    • Notice whether the test event matches the exclusion pattern.

11. Click Save.

Enabling or disabling a raw event filter

To enable or disable a filter, by clicking on the toggle in the righthand side corner.

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click the name of the log source you'd like to add a filter to.

3. Click the Filters tab.