Knowledge BaseCommunityRelease NotesTry Panther
Search
⌃K
Links

Data Replay (Beta)

Use Data Replay to preview the outcome of a rule against real data before enabling it.
Data Replay is currently in open beta. Please share any bug reports and feature requests with your account team.
With Panther's Data Replay, rules can be tested against historical log data to preview the outcome of a rule before enabling it.
When writing or updating a detection, use Data Replay to simulate what type of alerts you are likely to receive before deploying the detection.
Alerts generated through a replay will not be delivered to the rule's destinations or displayed on the main Alerts & Errors dashboard.

Starting a replay

A rule's deduplication period and events threshold will be taken into account during Data Replay. If a rule has Rule Filters, they will be applied.
Before getting started, note the following constraints:

Constraints

  • Time range is configurable but must be within the last 30 days
  • Time range must be older than 24 hours
  • Replay must complete in under an hour
  • Access to the panther-kv-store is blocked to prevent polluting production data
  • Lookup Tables are blocked to prevent modifying production data from a replay
  • Network calls from within a rule are blocked

How to use Data Replay:

  1. 1.
    Log in to your Panther Console.
  2. 2.
    From the left sidebar menu, click Build > Detections. Click on the Detection you want to use in a Data Replay.
  3. 3.
    In the upper right side of the Detection's details page, click Edit Rule. Click the Functions & Tests tab and scroll down to the Data Replay section.
    On a Detection's details page in the Panther Console, there is a section labeled "Functions and Tests." At the bottom of that section, there is a header for "Replay Data". There is a field for Log Types, Date Start and Date End. In the lower right there is an orange button labeled "Run Replay."
    ​
  4. 4.
    Under Data Replay, select the log types and date range you wish to replay for the Detection. Click Run Replay.
    • The estimated run time and data size will be displayed.
    • Note: If you have made any changes to the rule, you must save your changes before starting a Replay.
As the Replay is processing, the progress will be displayed live, including the estimated volume processed and matched events. The system will indicate if there is a high event match rate to help know when to stop the replay and tune your detection. You can exit this page at any time without cancelling the Replay.
The Panther Console displays a message that says the Replay is processing.

Viewing replay results

After the Replay is complete, you will see an alert summary on the detection's page that includes total alerts, total rule errors, volume processed, and total matched events. All alerts will be shown as they would appear if the alert had been enabled during this range of time.
On this page, you can filter alerts and view the events associated with each alert.
The Replay Test Summary shows the number of alerts, rule errors, estimated volume processed, and total matched events.
Click on an alert for more information. On the alert's page, click the Details tab to see which destinations the alerts would have been sent to if the rule was live. This page also includes the start time, end time, and duration of the replay.
Note: No alerts are sent to their destinations while replaying data.
The alert's Details page shows more information, including the destination where you would expect the alert to be sent.
Previous
Testing
Next
Stateful Detections (Caching)
Last modified 17d ago