Uploading a Lookup Table in Panther gives error: Content for lookup table 'my lut' not found at 'my lut.csv'
Issue
When trying to upload a Lookup Table through the Bulk Uploader or through the panther-analysis-tool (PAT), you get the following error:
Content for lookup table 'my_lut' not found at 'my_lut.csv'
where the names my_lut and my_lut.csv are standings for your Lookup Table name and the Lookup Table data file, respectively.
Resolution
This issue can be resolved by rearchiving the ZIP file from within the same directory as the LUT.
Example directory structure
For example, if you have the following directory structure (as present in our panther-anaysis repo):
→ panther-analysis
↳ lookup_tables
↳ account_ids.yml
↳ account_ids.csv
↳ network_cidr.yml
↳ network_cidr.csv
Resolve via PAT
Run the following:
cd panther-analysis/lookup_tables panther-analysis-tool upload --path ./
Resolve via Bulk Uploader
Open your terminal app and navigate to the directory where panther-analysis is stored. Then run the following:
cd panther-analysis/lookup_tables zip -r ../../lookup_tables.zip ./
This will create a ZIP file in the same folder as panther-analysis. You can now upload this ZIP file using the Bulk Uploader.
Cause
This issue is caused by a bug with the linker for Lookup Table uploads. Currently, the linker fails to associate CSV files with the approriate Lookup YML file unless they're both in the root of the ZIP file.