Panther detections are defined by a python file (
detection.py) and a YAML file (
detection.yml), where the configuration (rule name, description, thresholds, etc.) are defined in the YAML file. Also in that file are the unit tests for the detection. Can I instead write my tests in a separate YAML file (
detection_tests.yml), and have
panther_analysis_tool read from there to test my detection?
Currently, we do not support partitioning your detection configurations between multiple files, including for unit tests. In order for
panther_analysis_tool to function properly, all your unit tests must be defined in the same YAML file as the rest of the detection configuration.