Issue

When trying to create a raw event filter for a specific event from AWS CloudTrail, the test passes but these events are still being ingested despite the filter.

Resolution

To resolve this issue:

1. Try using a Normalized Event Filter instead of a Raw Event Filter.

2. Create a new Normalized Filter in the Panther Console.

3. Set up the filter using the parsed fields from the normalized event, according to your preference.

4. Test the filter against the already ingested events to ensure it's working as expected.

5. Enable the filter for your AWS CloudTrail log source.

Cause

This issue can occur because Raw Event Filters are applied to unparsed events, while the logs you see in the Panther Console are in a parsed, normalized format. The JSON structure of the raw logs might differ from what you see in the normalized format, causing the raw event filter to fail despite passing the test on the parsed data.

Normalized Event Filters work on the parsed fields, making them more reliable for filtering specific events from structured logs like AWS CloudTrail. Additionally, Panther doesn't store logs filtered by Normalized Event Filters, which can help with data management.