Does Panther have an inclusion filter during raw data ingestion? For example, I want to create alerts for specific k8 logs, but there's too many alerts generated. I only want to be alerted for certain logs and exclude everything else.
Panther's data filtering feature does not support inclusion filters—it only supports exclusion filters. If you are interested in support of this feature, please contact Panther Support to put in a request.
As a workaround, you can try the following workflows:
If you don't mind ingesting the data into Panther:
You can use an inclusion filter on the rule itself.
If you don't want to ingest the data at all:
For S3 log sources: You can configure your log source in Panther to include only files in a specific folder within your S3 bucket by using a prefix inclusion filter. See📄 How do I configure an S3 log source in Panther with a prefix exclusion or inclusion?
Consider using a pre-processor in your data pipeline, such as Cribl. Alternatively, you could feed logs into an AWS Lambda function (or similar webhook endpoint) and perform filtering there, before forwarding the logs to an HTTP source.