When updating one or more of my Detection Packs, I encounter SQL compilation error indicating that certain objects do not exist or are not authorized:
The error will be similar to this:
Error updating Pack PantherManaged.AWS.Core: failed to save query "AWS Authentication from CrowdStrike Unmanaged Device": 002003 (42S02): SQL compilation error: Object 'PANTHER_LOGS.PUBLIC.CROWDSTRIKE_AIDMASTER' does not exist or not authorized.; failed to save query "Query.VPC.DNS.Tunneling": 002003 (42S02): SQL compilation error: Object 'PANTHER_LOGS.PUBLIC.AWS_VPCDNS' does not exist or not authorized.; failed to save query "VPC Flow Port Scanning": 002003 (42S02): SQL compilation error: Object 'PANTHER_LOGS.PUBLIC.AWS_VPCFLOW' does not exist or not authorized.
This error indicates that certain saved queries within the pack couldn't be updated due to some missing tables that are being used in their SQL code. Please note that the rest of the resources are successfully updated.
This happens because you have not yet ingested logs with the associated schemas so that the tables can be created. This is not a non-concerning notification, since the log types of the saved queries are not being used yet.
If you ingest such logs in the future, you can re-run the pack update.
You can verify that no logs have been ingested for these data types yet by checking the Data Explorer in your Panther instance. If the tables mentioned in the error message (e.x. PANTHER_LOGS.PUBLIC.CROWDSTRIKE_AIDMASTER
and PANTHER_LOGS.PUBLIC.AWS_VPCDNS
) are absent, it confirms this.
If you continue to experience issues after confirming log ingestion and table creation, please contact Panther support for further assistance.