Skip to main content
Panther Knowledge Base

How do I return an array of values from a Mock in a Panther detection?

  1. Last updated
  2. Save as PDF

QUESTION

I'd like to know how to return an Array of values from a Mock in the tests for a detection. How should it be formatted?

 

ANSWER

Currently, Mocks only return values as strings. However, as a workaround, the detection could be written to check whether it's running a Mock, and in that case to convert the result string to an array. See the code below for an example:

from ast import literal_eval
IS_MOCK = True # change this to False before saving the rule.

def string_to_array(mock_return_val):
 return literal_eval(mock_return_val)

def rule(event):
 if IS_MOCK:
 my_mock_array = string_to_array(mock_funct_name())
 else:
 my_mock_array = mock_funct_name()
 # rule logic