How do I rerun a rule over my data? I want to check if an event was a blip or a real alert.
There are a few ways you can rerun a rule over your data in Panther:
- Data Replay
- When: If you need to change a rule and see if it would trigger over events that have already occurred
- You can use Data Replay in the Panther Console, or via Panther Analysis Tool using the
- The limits for Data Replay:
- The time span must be within 30 days but not within the past 24 hours. (24 hours < target_time < 30 days)
- The maximum amount of data to process must be less than 20 GB
- Rule Tests
- When: If you have a specific stand-alone event that you want to run over the rule, you can paste the JSON for that event into a test case and check to see what gets returned.
- With this method, you can see what title, dedup string, and alert context will be returned if an alert fires without triggering the alerting system.
- Re-ingesting the data
- When: If the data never made it into the platform (due to an outage, etc.)
- Be aware that when re-ingesting the data, the
p_parse_time(when your data was parsed by Panther) will be far removed from the
p_eventtime (the timestamp from your event). This can cause a discrepancy in your log-type latencies.
- If you believe you need your logs re-ingested, please reach out to Panther Support.