Prisma Cloud: Error "Aggregating by 'Access Levels' or 'Is Administrative' columns is not allowed" in the Investigate Page
Symptom
This article is regarding the error message of “Aggregating by 'Access Levels' or 'Is Administrative' columns is not allowed when using the 'action.name CONTAINS ALL' filter.”.
When the user runs the RQL query which has the “action.name CONTAINS ALL” filter on the Investigate page, they will notice the following error message.
Aggregating by 'Access Levels' or 'Is Administrative' columns is not allowed when using the 'action.name CONTAINS ALL' filter. Please remove the selected columns or modify your query to continue.GUI Path: Cloud Security > Investigate > Search
This will also happen when the user tries the following operation.
- Click the alert ID and then click the “Investigate” button.
Environment
- Prisma Cloud Cloud Security
- Investigate Page
Cause
This error message is due to a limitation of using “action.name CONTAINS ALL(…)” filter.
The error message is not related to the RQL query investigation result.
With the current design, aggregation using one of those columns('Access Levels' or 'Is Administrative' columns) is not supported using a query that uses “action.name CONTAINS ALL(…)” filter.
Resolution
To resolve this, kindly unselect the 'Access Levels' and 'Is Administrative' columns from the column selector modal. Or, select all the columns(that means no aggregation).
GUI Path: Cloud Security > Investigate > Configure Columns
Additional Information
View our documentation here on the Investigate Page.