QUESTION

Are there any options to filter out logs as they are ingested into Panther?

ANSWER

The easiest way to do this is to use Panther's built-in raw event filtering, documented here. While that method of filtering was designed for this purpose, the options below may also fit your use case.

To redact certain pieces of information from the ingested data, you can exclude the sensitive fields from your schema. This way, parts of the payload won't be stored. Please note if you do this, that we will store the full payload if there are any classification errors, and today we don't provide an option to delete that. Also, we store raw data in our archive for 90 days, so omitting the fields from a schema may not do what you want if you want to avoid storing these things anywhere in the Panther instance.