Skip to main content
Panther Knowledge Base

How do I return an array of values from a Mock in a Panther detection?

  1. Last updated
  2. Save as PDF

QUESTION

I need my function mock to return an array of values, rather than a simple string. I am getting error

[...] should be instance of 'str'

How can I do this in Panther?

ANSWER

Currently, mocks only return values as strings. However, as a workaround, the detection could be written to check whether the functions returns a string, and if so, convert it to an array.

When specifying the value of the mock, format your value like this:

MockName: my_mock
ReturnValue: [1, 2, 3, 4, 5]

Then, in your detection code, you can check the type of the value returned and convert it:

import json

def rule(event):
    val = my_mock(event)
    if isinstance(val, str):
        # If 'val' is a string, then we convert it to an array
        val = json.loads(val)
    
    # continue rest of detection here....

Note: Modifications to your detection code are currently required for this mock to work. If you support the ability to write code that dynamically handles both mocked and real data, please contact Panther's Support team.