Why does the lastModified timestamp for Panther rules change after CI/CD updates?

Last updated: July 3, 2026

Why does the lastModified timestamp for Panther rules change even when I haven't modified them?

When using CI/CD to update rules in Panther, you may notice that the lastModified timestamp for rules is updated even for rules that haven't been modified. This behavior is related to how Panther handles rule uploads during the CI/CD process.

ANSWER

When you run panther_analysis_tool upload, PAT zips all files in the specified --path (filtered by any --filter flags you've set) and sends that zip to Panther. Panther receives the full zip, compares the contents against its stored state, and returns an Upload Summary showing how many items were new, modified, or unchanged:

Upload Summary
 Rules
  Total: 108
  New: 0
  Modified: 4

The Modified: N count is determined by the Panther backend — not by PAT locally. PAT sends everything and the backend decides what changed. The lastModified timestamp updates for all rules that were included in the upload batch, which is why rules you didn't intentionally edit may show an updated timestamp.

If your CI/CD run succeeded and the "last updated" timestamp changed, but a specific rule's code wasn't applied, see Why did my CI/CD run succeed and the "last updated" timestamp changed, but my detection code wasn't applied in Panther? for troubleshooting steps.