Is there a time or size limit on the Panther Data Replay feature?


Is there a limit on the amount of data that can be replayed using the Data Replay feature? Are there size limitations on the data?


The time limit for Data Replay data is within the past 30 days and it must be older than 24 hours.
The total size limit for events processed by data replay is ~20 GB.

You can check the approximate size of the query by using the panther_monitor.public.data_audit database using the following query:

 SUM(s3objectsize) as approx_query_size, p_source_label
FROM panther_monitor.public.data_audit
WHERE p_occurs_between('2022-08-01', '2022-08-08') and
p_source_label = ('your AWS account')
GROUP BY p_source_label

Since this query can only check by log source (the integration that feeds in your logs) rather than the log_type (e.g., AWS Cloudtrail logs), you will need to pick the sources from which you will be pulling your data for replay. For a connected cloud account, this would be the name that you gave that connected AWS account.


