How to resolve "Bulk upload failed to update a saved query" error in Panther
Issue
When trying to upload to my Panther Console using panther_analysis_tool I am getting an error:
[ERROR]: {'message': 'bulk upload failed to update a saved query', ...
Resolution
To resolve this issue:
- Check if your
panther_analysis_tool uploadcommand is uploading any scheduled queries.- If you are uploading any scheduled queries via
panther_analysis_tool upload, you can fix this via one of the following methods:- Option 1: Examine the scheduled query that is being uploaded and verify it's valid:
- Ensure you are using fully qualified table names in your query (eg:
select * from panther_logs.public.custom_tablenameinstead ofselect * from custom_tablename) - Make sure any table names referenced in the query exist in your Panther Console.
- Make sure there aren't any comments added to the last line of a query.
- Check if any column names at the top-level of the query have special characters, and alias them (eg:
select problematic.ColumnName as somethingelse) - Check if your query is a long-running query. If so, try to reduce the time it runs by limiting the data it queries via a where clause on the event_time (eg:
where p_occurs_since('1 hour')). Another option is to avoid the use of the SQL clauseSELECT DISTINCT *because using this clause on a large dataset has caused timeouts. - Make sure your query doesn't use SQL's
CALLcommand, since we currently don't support this. If your detection depends on a routine called by SQL, reach out to our support team for more assistance.
- Ensure you are using fully qualified table names in your query (eg:
- Option 2: Disable any scheduled query you do not wish to upload by editing the yaml file for the scheduled query and marking
enabled: false.
- Option 1: Examine the scheduled query that is being uploaded and verify it's valid:
- If you are uploading any scheduled queries via
- Check that all scheduled queries that you are uploading are free of the following unallowed characters as part of their column aliases:
. , - \" ( ) :
- If you are not intending to upload any scheduled queries, you can explicitly tell panther_analysis_tool to ignore them by adding a
--filter KEY=VALUEargument to yourpanther_analysis_tool uploadcommand. For example, to only upload rules,policies, and global helpers you can add:--filter AnalysisType=policy,rule,global
Cause
When you upload a scheduled query to your Panther Console, Panther will run this query first to verify if the query is valid before allowing it to be saved as a scheduled query. So if there is an error in running this query, Panther will not allow the upload to succeed.
This only applied to *enabled* scheduled queries, which is why one of the options to resolve such errors is to simply mark your scheduled query as enabled: falsein your yaml file. Alternatively, the other suggestions in the resolution section above are some common ways that a query can be invalid, so if you do wish to upload a scheduled query, see the suggestions above on how to verify that your query is valid.