Skip to main content
Panther Knowledge Base

How can I rerun a rule in Panther?


 How do I rerun a rule over my data? I want to check if an event was a blip or a real alert.


There are a few ways you can rerun a rule over your data in Panther:

  • Data Replay
    • When: If you need to change a rule and see if it would trigger over events that have already occurred
    • You can use Data Replay in the Panther Console, or via Panther Analysis Tool using the benchmark command.
    • The limits for Data Replay:
      • The time span must be within 30 days but not within the past 24 hours. (24 hours < target_time < 30 days)
      • The maximum amount of data to process must be less than 20 GB
  • Rule Tests
    • When: If you have a specific stand-alone event that you want to run over the rule, you can paste the JSON for that event into a test case and check to see what gets returned.
    • With this method, you can see what title, dedup string, and alert context will be returned if an alert fires without triggering the alerting system.
  • Re-ingesting the data
    • When: If the data never made it into the platform (due to an outage, etc.)
    • Be aware that when re-ingesting the data, the p_parse_time (when your data was parsed by Panther) will be far removed from the p_event time (the timestamp from your event). This can cause a discrepancy in your log-type latencies.
    • If you believe you need your logs re-ingested, please reach out to Panther Support.