Normalized Event Filters

Filter out events after they're parsed by a log schema

Overview

Normalized event filtering is in open beta starting with Panther version 1.101, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Once you have enabled a raw event filter, monitor its performance by viewing filtered event metrics.

Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.

How to create a normalized event filter

To create a normalized event filter:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
On the right-hand side of the Normalized Events filters tile, click Add Filter.
A new filter form will be expanded. Configure the filter:
1. Optionally edit the filter's name by clicking the pencil icon () to the right of the placeholder name.
2. In the Log Type dropdown, select the log type this filter should apply to.
3. Under Exclusion Pattern, click the Exclude if field to configure your filter(s).
  1. Select an event field from the dropdown. Only fields of the selected log type are shown.
  2. Select an operator (also known as a condition) from the dropdown menu.
    The dropdown options will be limited to those applicable to the selected field's data type.
  3. Enter a value, if the selected operator requires one.
  4. If you would like to create another filter expression:
    To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    To create an OR filter, click + Add OR Condition.
4. Under Quick Test, click Run Test. A search is performed for events ingested in the past seven days that match the filter(s) you defined, and the first 100 results are shown.
  - This can help you ensure the filter expressions you configured are targeting the correct events. Future events like these ones will, after you save the filter, be filtered out.
5. The filter is enabled by default. If you would like to disable it, click the Enabled toggle.
In the upper-right corner, click Save.

Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to enable or disable a filter on.
Click the Filters tab.
Locate the filter you'd like to enable or disable, and set its toggle to Enabled or Disabled.

Viewing filtered event metrics

See Viewing filtered event volume.

Supported field types

You can configure filters on event fields of the following data types:

Field data type Notes

Field data type	Notes
`string`
`boolean`
number (`int`, `bigint`, `smallint`, `float`)
`timestamp`
`array`	Filtering is supported only for arrays of primitive types
`object`	Filtering on nested fields is supported
`json`	Filtering on nested fields is not supported, but you can use the `contains` condition

string

boolean

number (int, bigint, smallint, float)

timestamp

array

Filtering is supported only for arrays of primitive types

object

Filtering on nested fields is supported

json

Filtering on nested fields is not supported, but you can use the contains condition