Issue

I renamed a rule and updated it in Panther by editing the RuleId via CI/CD. Now the Panther Console displays both the renamed rule and the old (non-modified) version. I can't delete the old rule, and it is triggering duplicate alerts that share the same alert_id. 

Resolution

To delete the rule, use the following command in your CI/CD environment:

panther_analysis_tool delete --analysis-id RULE_ID

Cause

In general, deleting rules via CI/CD will cause those rules to disappear from the console, as long as you use panther_analysis_tool delete. In this case, the issue occurred because the rule that had been deleted had a different rule ID from the new/renamed rule. To Panther, this just looks like a clone of the old rule rather than a replacement, since not every upload always contains the whole repo. The command PAT delete is what tells Panther you want a detection to disappear from the repo entirely, both on your system and in the console.

Similarly, if you delete a rule locally, you should still expect to see that rule in the Panther Console until you run the PAT delete command. This is mentioned in the section describing the command delete from our documentation.