QUESTION

Panther detections are defined by a python file (detection.py) and a YAML file (detection.yml), where the configuration (rule name, description, thresholds, etc.) are defined in the YAML file. Also in that file are the unit tests for the detection. Can I instead write my tests in a separate YAML file (detection_tests.yml), and have panther_analysis_tool read from there to test my detection?

ANSWER

Currently, we do not support partitioning your detection configurations between multiple files, including for unit tests. In order for panther_analysis_tool to function properly, all your unit tests must be defined in the same YAML file as the rest of the detection configuration.