When trying to upload to my Panther Console using panther_analysis_tool I am getting an error:
[ERROR]: {'message': 'bulk upload failed to update a saved query', ...
To resolve this issue:
Check if your panther_analysis_tool upload
command is uploading any scheduled queries.
If you are uploading any scheduled queries via panther_analysis_tool upload
, you can fix this via one of the following methods:
Option 1: Examine the scheduled query that is being uploaded and verify it's valid:
Ensure you are using fully qualified table names in your query (eg: select * from panther_logs.public.custom_tablename
instead of select * from custom_tablename
)
Make sure any table names referenced in the query exist in your Panther Console.
Make sure there aren't any comments added to the last line of a query.
Check if any column names at the top-level of the query have special characters, and alias them (eg: select problematic.ColumnName as somethingelse
)
Check if your query is a long-running query. If so, try to reduce the time it runs by limiting the data it queries via a where clause on the event_time (eg: where p_occurs_since('1 hour')
). Another option is to avoid the use of the SQL clause SELECT DISTINCT *
because using this clause on a large dataset has caused timeouts.
Make sure your query doesn't use SQL's CALL
command, since we currently don't support this. If your detection depends on a routine called by SQL, reach out to our support team for more assistance.
Option 2: Disable any scheduled query you do not wish to upload by editing the yaml file for the scheduled query and marking enabled: false
.
Check that all scheduled queries that you are uploading are free of the following unallowed characters as part of their column aliases:
. , - \" ( ) :
If you are not intending to upload any scheduled queries, you can explicitly tell panther_analysis_tool to ignore them by adding a --filter KEY=VALUE
argument to your panther_analysis_tool upload
command. For example, to only upload rules,policies, and global helpers you can add: --filter AnalysisType=policy,rule,global
When you upload a scheduled query to your Panther Console, Panther will run this query first to verify if the query is valid before allowing it to be saved as a scheduled query. So if there is an error in running this query, Panther will not allow the upload to succeed.
This only applied to *enabled* scheduled queries, which is why one of the options to resolve such errors is to simply mark your scheduled query as enabled:false
in your yaml file. Alternatively, the other suggestions in the resolution section above are some common ways that a query can be invalid, so if you do wish to upload a scheduled query, see the suggestions above on how to verify that your query is valid.