The Indicator Search in my Panther Console throws a "does not exist or not authorized" SQL compilation error for a "_VARIANT" suffix table
Issue
When trying to use the Indicator Search in my Panther Console I get the error below:
279001: 01aa2f01-0403-0077-0073-14830a46c032: server ErrorCode=002003, ErrorMessage=SQL compilation error: Object 'PANTHER_RULE_MATCHES.PUBLIC.<TABLE-NAME>_001_VARIANT' does not exist or not authorized.
Resolution
To resolve this issue:
You can spot the auto-generated query from the Investigate > Query History view and manually remove the _VARIANT
suffix for the tables that seem not to exist or not be authorized and throw this error.
For example, you can change:
PANTHER_RULE_MATCHES.PUBLIC.<TABLE-NAME>_001_VARIANT
to
PANTHER_RULE_MATCHES.PUBLIC.<TABLE-NAME>_001
Then you can re-run the query within Data Explorer to get the results from the Indicator Search.
Cause
This is an error that's being triggered by a bug in the Indicator Search view. We have already found the root cause and our engineering team is working hard to introduce a fix that will be patched soon.