How do I rerun a rule over my data? I want to check if an event was a blip or a real alert.
There are a few ways you can rerun a rule over your data in Panther:
When: If you need to change a rule and see if it would trigger over events that have already occurred
You can use Data Replay in the Panther Console, or via Panther Analysis Tool using the benchmark command.
The limits for Data Replay:
The time span must be within 30 days but not within the past 24 hours. (24 hours < target_time < 30 days)
The maximum amount of data to process must be less than 20 GB
When: If you have a specific stand-alone event that you want to run over the rule, you can paste the JSON for that event into a test case and check to see what gets returned.
With this method, you can see what title, dedup string, and alert context will be returned if an alert fires without triggering the alerting system.
Re-ingesting the data
When: If the data never made it into the platform (due to an outage, etc.)
Be aware that when re-ingesting the data, the p_parse_time (when your data was parsed by Panther) will be far removed from the p_event time (the timestamp from your event). This can cause a discrepancy in your log-type latencies.
If you believe you need your logs re-ingested, please reach out to Panther Support.