> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/detections/testing/data-replay.md).

# Data Replay (Beta)

## Overview

{% hint style="info" %}
Data Replay is currently in open beta, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

With Panther's Data Replay, rules can be tested against historical log data to preview the outcome of a rule before enabling it.

When writing or updating a detection, use Data Replay to simulate what type of alerts you are likely to receive before deploying the detection. Alerts generated through a replay will not be delivered to the rule's destinations or displayed on the main **Alerts & Errors** dashboard.

There are two ways to start a Data Replay:

* [Standard replay](#starting-a-replay): Select log types and a time range or data size, and Panther replays events directly from S3.
* [AI-powered replay](#starting-an-ai-powered-replay): Panther AI reads your detection rule, generates targeted SQL queries against the data lake, and replays only the matching events. This approach can be faster and more focused, since the AI narrows the data set to events likely to trigger the rule.

Data Replay is available in the Panther Console. In the CLI workflow, you can use Panther Analysis Tool's [`benchmark`](/panther-developer-workflows/detections-repo/pat/pat-commands.md#benchmark-evaluating-rule-performance) command to evaluate rule performance.

## Limitations

Before starting a Data Replay, note the following limitations:

* Time range is configurable but must be within the last 15 days.
* Time range must be older than 24 hours.
* The maximum supported replay size is 20GB.
* The replay must complete in under an hour.
* Access to the [DynamoDB cache](/detections/rules/python/caching.md) is blocked to prevent polluting production data.
* Network calls from within a rule are blocked.
* [Enrichment](/enrichment.md) is not supported.
* Unique-value thresholds (`unique()`) are not currently applied during Data Replay

## Starting a replay

A rule's deduplication period and events threshold will be taken into account during Data Replay. If a rule has [Rule Filters](/detections/rules/inline-filters.md), they will be applied.

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click on the name of the detection you want to use in a Data Replay.
3. Click the **Configure** tab.
4. Scroll down to the **Data Replay** tile, within the **Test** section.
5. Select **Replay from S3**.
6. In the **Log Types** field, select the log types you wish to replay for the detection.

   <figure><img src="/files/FyeZYITFKNK3tOv8eodW" alt=""><figcaption></figcaption></figure>
7. On the right side of the **Data Replay** section, select **Time** or **Data(GB)**, depending on how you want to limit the set of data your replay will run over:
   * **Time**: Choose this option to run a replay on the data collected during a specified period of time.

     * Click the **Date Start** or **Date End** fields to open the date modal. You can select a preset day range or pick custom dates in the available range:

     <figure><img src="/files/gwfa7zpsKaRyTCFkW33u" alt="The date modal displays a calendar view, and fields at the bottom for &#x22;From Time&#x22; and &#x22;To Time.&#x22;" width="375"><figcaption></figcaption></figure>
   * **Data(GB)**: Choose this option to run a replay on a data set for a specified size (in gigabytes.)
     * Select one of the options in the **Data** dropdown.
     * Note that the data set is not guaranteed to be the most recent `n` number of gigabytes.
8. Click **Create Replay**.
   * The estimated run time and data size will be displayed.
   * Note: If you have made any changes to the rule, you must save your changes before starting a Replay.

As the Replay processes, the progress will be displayed live, including the estimated volume processed and matched events. You can exit this page at any time without cancelling the Replay.

If you have a high rate of matched events, we recommend stopping the replay to tune your detection.

<figure><img src="/files/ZjVdZ2C1fsdwVkrN8TcW" alt="The Panther Console displays a message that says the Replay is processing."><figcaption></figcaption></figure>

## Starting an AI-powered replay (Beta) <a href="#starting-an-ai-powered-replay" id="starting-an-ai-powered-replay"></a>

{% hint style="info" %}
AI-powered replay is in open beta starting with Panther version 1.125, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

When Panther AI is enabled, the Data Replay section generates targeted data lake queries instead of replaying all events in a time range. Panther AI reads the detection rule—including any helper functions and unit tests—fetches the relevant log type schemas, then writes a SQL query per log type using selective `WHERE` clauses. The queries return full events (`SELECT *`), ordered by `p_event_time`. If the detection has unit tests, Panther AI runs the test events through the generated SQL using CTE queries to verify correctness before executing the final queries against the data lake.

### Prerequisites

* [Panther AI must be enabled](/ai.md#enabling-panther-ai).
* Your user role must have the **Run Panther AI** permission.

### Starting the replay

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click on the name of the detection you want to use in a Data Replay.
3. Click the **Configure** tab.
4. Scroll down to the **Data Replay** tile, within the **Test** section.
5. Select **Replay from Datalake**.
6. In the **Log Types** field, select the log types you wish to replay for the detection.

   <figure><img src="/files/JzKNDP2eyhl1y9osFZTP" alt=""><figcaption></figcaption></figure>
7. Set the **Date Start** and **Date End** fields to define the time range.
8. Click **Generate Queries with AI**.
   * The **AI Query Generation** panel appears, showing Panther AI's progress as it generates and executes SQL queries. You can expand or collapse this panel at any time.
   * While the queries are generating, you can click **Cancel** to stop the process.
9. When query generation is complete:
   * If matching events are found, the panel displays the number of queries generated (e.g., "2 queries generated") and a **Start Replay** button.
   * If no matching events are found, an informational message is displayed. This may mean there are no events in the selected time range that would trigger the detection.
10. Click **Start Replay with N Queries** to start the replay using the AI-generated query results.

The replay then processes the matched events through the detection rule, and you can view the results the same way as a standard replay.

### Refining queries with follow-up prompts

After Panther AI finishes generating queries, you can provide additional context or ask for refinements using the follow-up prompt field at the bottom of the **AI Query Generation** panel.

For example, you might enter:

* "Only include events where the source IP is external."
* "Narrow the query to failed login attempts."
* "Exclude events from service accounts."

Type your follow-up prompt and click **Run Again**. Panther AI regenerates the queries with your additional context.

{% hint style="info" %}
If you change the time range or log types after generating queries, the AI results are automatically reset. You will need to click **Generate Queries with AI** again.
{% endhint %}

## Viewing replay results

After the Replay is complete, you will see an alert summary on the detection's page that includes total alerts, total rule errors, volume processed, and total matched events. All alerts will be shown as they would appear if the alert had been enabled during this range of time.

On this page, you can filter alerts and view the events associated with each alert.

<figure><img src="/files/yr1QqCw66UBQFpB0zDYf" alt="The Replay Test Summary shows the number of alerts, rule errors, estimated volume processed, and total matched events."><figcaption></figcaption></figure>

Click on an alert for more information. On the alert's page, click the **Details** tab to see which destinations the alerts would have been sent to if the rule was live. This page also includes the start time, end time, and duration of the replay.

Note: No alerts are sent to their destinations while replaying data.

<figure><img src="/files/F6R7JTf7qevxQprxbVVn" alt="The alert&#x27;s Details page shows more information, including the destination where you  would expect the alert to be sent."><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/detections/testing/data-replay.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.