If I configure multiple log source filters in Panther, can I combine them with and
/or
logic? For example, can I specify that a log must match 2 filters in order to be excluded?
Panther does not support complex filter logic at this time. If you specify multiple filters for a log source, Panther will drop an event if it matches any of the filters. If you are interested in support of this feature, please contact Panther Support to put in a request.
As a workaround, you can use a complex regex pattern to perform this comparison. For example, so exclude an event only if it contains both words "foo" and "bar", you can use this pattern: foo.*?bar
This pattern specifies to match "foo", a wildcard, and "bar". It's not perfect - for example, it won't filter out an event where "bar" appears before "foo". You can create regex expressions to work around this, but they can become more complicated.