QUESTION

The Inline Filter on my detection isn't filtering events out as expected. How do I troubleshoot this?

ANSWER

To troubleshoot an Inline Filter:

1. Ensure the syntax of the filter is correct.

2. Check if the rule runs on multiple log types and ensure that the fields you have selected in your filter cover the fields of all these log types and/or include the fields of the log type that you care about.

3. Confirm the filtered field is available in the event.

   Keep in mind that panther_rule_matches fields are generated after the events pass through the detection. Since Inline Filters run before detections, these fields won't be available for filtering.

4. Add a unit test with an event that tests the filter's logic, to ensure that the individual filter is working.

5. If multiple filters are included, check the AND/OR logic.

   Since Panther Inline filters are inclusion filters, please reference De Morgan's Law to ensure all negations are correct.

   • Example: If you want to exclude events that satisfy the following conditions:

     field1="A" AND field2 = "B" AND field3 = "C"

     Then your inclusion filter will become:

     NOT(field1="A" AND field2 = "B" AND field3 = "C") 
     => (field1 != "A") OR (field2 != "B") OR (field3 != "C")

     The difference between them is: "alert if all of these conditions are false" vs. "alert if any of these conditions are false."

   • After applying De Morgan's Law, add unit tests to test the filter's logic for different scenarios (eg. satisfying none of the conditions, a number of the conditions, or all conditions) to ensure the filter is working as expected.

If the filter is still not working, please contact Panther Support and provide the following information:

1. A zip file of the detection

2. A sample event that you are expecting to filter out