"Exhausted retries attempting to perform bulk upload" when trying to upload detections via PAT
Issue
When trying to upload detections via panther_analysis_tool the following error appears:
[INFO]: Uploading items to Panther
Warning: : Exhausted retries attempting to perform bulk upload.
Resolution
If you are uploading Scheduled Queries
Follow the steps in this guide: How to resolve "Bulk upload failed to update a saved query" error in Panther
If you are not uploading Scheduled Queries
- Try uploading without the
--batchcommand. - Check to see that you're treating all Mock Testing return values as String. If your code is expecting a different type like Array or JSON, a small tweak to the code is required to handle the Mock value. The example below is pulled from our Diving into the Detection section of Mocks in our documentation.
import json
# Another option is to use: from ast import literal_eval
# --- Snipped ---
def policy(resource):
# --- Snipped ---
recorder = resource_lookup(recorder_name)
if isinstance(recorder, str):
recorder = json.loads(recorder)
- Check if the log types in the files you are uploading are written as expected and with the correct casing (for example
Github.Auditis not correct, whereasGitHub.Auditis valid). - If the above steps do not lead to an obvious solution, reach out to Panther Support.
Cause
This issue can occur when using the --batch option or trying to upload a query that times out or contains an SQL error on a version of panther_analysis_tool that predates v0.19.10.