Why does the lastModified timestamp for Panther rules change even when I haven't modified them?

When using CI/CD to update rules in Panther, you may notice that the lastModified timestamp for rules is updated even for rules that haven't been modified. This behavior is related to how Panther handles rule uploads during the CI/CD process.

ANSWER

The lastModified timestamp for Panther rules changes after CI/CD updates due to the way the Panther Analysis Tool upload command works. Here's what happens:

1. When you run Panther Analysis Tool upload, it creates a .zip file containing all rules in your repository, regardless of whether they've been modified or not.

2. This .zip file is then uploaded to Panther.

3. Panther overwrites all currently loaded rules with the rules from the .zip file, which updates the lastModified field for all rules, even if their content hasn't changed.

Currently, there's no built-in mechanism in Panther to check if a rule has actually changed before updating its lastModified timestamp.