QUESTION

How do I undo or remove queries that were accidentally uploaded to Panther when running the Panther Analysis Tool upload command?

ANSWER

There are two main methods to remove accidentally uploaded queries from Panther:

Method 1: Using the Makefile Command (Recommended)

The quickest method is to use the makefile command for deleting deprecated rules:

1. Add the query IDs you want to delete to a file called deprecated.txt

2. Run the command: make remove-deprecated

Method 2: Using a Custom Script

You can create a script that utilizes the Panther API /queries endpoint to remove the queries from the queries folder.

Method 3: Manual Removal

Alternatively, you can manually remove the uploaded queries through the Panther console interface. You can see all queries by navigating to Investigate > Saved Searches.

Preventing Future Accidental Uploads

To avoid this issue in the future, consider storing your custom queries in a subfolder within the queries directory. This allows you to use the --path option to target only your specific queries instead of uploading all queries in the folder.

For example, create a structure like queries/custom/ and then use --path queries/custom/ in your upload command.