Skip to main content
Panther Knowledge Base

How do I check if my Panther rules are working?

  1. Last updated
  2. Save as PDF

QUESTION

 How do I investigate if my rules are being applied? I did not see alerts trigger as expected.

ANSWER

 You can check for rule matches in the Data Explorer with the following query:

SELECT
  p_rule_id, count(p_rule_id)
FROM
  panther_rule_matches.public.aws_cloudtrail
WHERE
  p_occurs_since('48 hours')
GROUP BY p_rule_id

Results will show a list of rule IDs and the number of times they have triggered an alert in the timeframe provided.