Issue

When attempting to test correlation rules using the Panther Analysis Tool (PAT) command panther_analysis_tool test, the tests are skipped, and there is no indication of whether they passed or failed.

Resolution

To resolve this issue:

1. Ensure you have configured an API token for PAT authentication. See Authenticating with an API token for setup instructions.

2. Verify that the IDs in your correlation rule match exactly between the Detection and Tests sections (including spaces/no spaces).

3. Run the PAT test command with your API token configured: panther_analysis_tool test --api-token <your-api-token> --api-host <your-api-host>

Cause

This issue occurs for two main reasons:

1. Testing correlation rules with PAT requires authentication via an API token. Without proper authentication, the tests will be skipped.

2. Correlation rule tests are specifically designed to test correlation logic only. The individual rules that make up the correlation rule should be tested separately using their own unit tests.