How do I resolve the Panther alert error "This can be caused by under/overflow for integers. Status code: 400"?
When trying to view associated events in an alert's overview page in the Panther Console, events do not appear and the following error occurs:
ListObjectsV2PagesWithContext failed pagination for s3://panther-bootstrap-...: SelectObjectWithContext failed for s3://panther-bootstrap-...: UnsupportedFormatNumber: Error parsing number near charIndex: ##. This can be caused by under/overflow for integers. status code: 400, request id: ##, host id: ##
To resolve this issue:
- Check in the Data Explorer for the events that match your alert:
with rule_matches as (select * from panther_views.public.all_rule_matches where p_alert_id = '<alert_id>'),
logs as (select * from panther_logs.public.<target_log_type>)
select rule_matches.p_alert_id, logs.*
from rule_matches join logs on rule_matches.p_row_id = logs.p_row_id
- Try to spot a field that is typed as an integer with a very large value.
- Clone your schema and change the very large integer's field type to string.
- Make sure to change all log source log types and rules' log types to your new log type.
This issue occurs because there is an upper limit to integer sizes with AWS's S3Select of 9223372036854775807.