QUESTION

Can I manually edit cached data in the panther-kv-store? I tried to run a Data Replay and ran into an error that I do not have access to the panther-kv-store.  I also want to automate updating of cache entries.

ANSWER

No, not directly. Currently, the panther-kv-store can only be accessed through detection code.

Depending on your needs, you may be able to add code to your detection to do the job. The following code block is an example of how to add a one-time edit to the panther-kv-store.

from panther_oss_helpers import get_counter, increment_counter, reset_string_set

def rule(event):
    key_cache = '[your-cache-key]'
    key_count = '[year]-[month]-[rule-name]-debug-' + key_cache # Doesn't have to be this pattern, as long as it's unique
    
    # We'll use key_count to create a counter to see if we've made the cache edits yet or not.
    if get_counter(key_count) == 0:
        increment_counter(key_count) # This increment means we only run this code block once!
        # Now, add the code you need to make the adjustment to your cache. For example, if you need to empty a set:
        reset_string_set(key_cache)
    
    # ... rest of rule code here ...