How do I delete a duplicate rule in Panther with duplicate alerts?

Last updated
Save as PDF

Issue

I renamed a rule and tried to update it in Panther via CI/CD. Now the Panther Console has the renamed rule and the old version, and I can't delete the old rule. It is triggering duplicate alerts that share the same alert_id.

Resolution

To delete the rule, use the following command in your CI/CD environment:

panther_analysis_tool delete --analysis-id RULE_ID

Cause

In general, deleting rules via CI/CD will cause those rules to disappear from the console, as long as you use panther_analysis_tool delete. In this case, the issue occurred because the rule that had been deleted had a different rule ID from the new/renamed rule. To Panther, this just looks like a clone of the old rule rather than a replacement, since not every upload always contains the whole repo. The command PAT delete is what tells Panther you want a detection to disappear from the repo entirely, both on your system and in the console.