When trying to add a rule filter to a Panther-managed rule, the following error message occurs in my Panther Console:
Cannot save an enabled rule with failing unit tests
How can I fix this and save my changes?
To resolve this issue, you can perform the following steps:
Please check if the field you are using in your Rule Filter exists in the JSON included in the Unit Test section further down.
If it does, please check if it has a different value compared to the value you have used in your Rule Filter.
If the value is indeed different, then a clone of the original rule will have to be created containing some modifications, following the steps described below:
Navigate to the rule and click on Clone and Edit
.
Change the name of the rule if you'd like and click on Update
.
Navigate to the new rule you have just created and click on Edit
.
Navigate to the Functions & Tests
tab.
Add the Rule Filter, using the desired field value (e.g. the field sourceIPaddress
).
Scroll further down and navigate to the Unit Test
section.
Look at the existing unit tests.
Locate in the unit tests JSON code the field that you have used in your Rule Filter. It should have a different value. Change that default value to the value you have used in your Rule Filter in all the unit tests, to make it the same as the field value in the Rule Filter.
Click Run All
. The tests are expected to succeed.
If they do, scroll further up and click on Update
in order to save the modification you performed to the rule.
Note that cloning and editing a detection does not change the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection. The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.
In addition, this behavior is described in our documentation, in the section Working with failed unit tests with filters.
That test expects the rule to trigger an alert, but because the field value included in the unit test does not match the filter, the test case no longer meets the conditions for triggering the alert, so the test fails.