How to make Panther Analysis Tool upload faster
QUESTION
How do I make panther_analysis_tool upload operations faster? Even when uploading a small amount of content, the upload is slow and takes a long time.
ANSWER
Here are some things that can help reduce the time spent waiting for panther_analysis_tool (PAT) to complete:
- Exclude saved queries from the upload. Currently Panther saves these one at a time on the backend.
- If what you're doing is updating detection code, use PAT
testandvalidate. This way, when you merge a branch tomainin GitHub Actions or your preferred CI/CD system, the upload command runs in the background. -
Only upload the rules that have changed.
- To upload only the changed rules, you can add
-path ./rulesto your command like so:
- To upload only the changed rules, you can add
pipenv run panther_analysis_tool upload --path ./rules --filter Enabled=true --skip-tests
When we upload the rules/ directory, if a rule has not been updated, nothing happens. This effectively ensures that only the files that have changed are updated.
- If your CI/CD pipeline only runs the upload process, you can set your workflow to monitor only the rules folders:
paths: - 'rules/**'- Check if your GitHub actions is set to use directory-based upload (ie.
for dir in rules/*; do). This method processes directories one by one, and also re-uploads the global helpers and data models for each rule directory. Which could be why it's slow. You can refer to the example GitHub workflow YAML in our docs.
- Check if your GitHub actions is set to use directory-based upload (ie.