Panther detections are defined by a python file (detection.py
) and a YAML file (detection.yml
), where the configuration (rule name, description, thresholds, etc.) are defined in the YAML file. Also in that file are the unit tests for the detection. Can I instead write my tests in a separate YAML file (detection_tests.yml
), and have panther_analysis_tool
read from there to test my detection?
Currently, we do not support partitioning your detection configurations between multiple files, including for unit tests. In order for panther_analysis_tool
to function properly, all your unit tests must be defined in the same YAML file as the rest of the detection configuration.