How to test just one single detection at a time with Panther Analysis Tool

Last updated: August 29, 2024

QUESTION

How do I test a single detection with panther_analysis_tool(PAT)? By default the tool tests all of the detections in my path, but I just want to test one.

ANSWER

To do this, use the --filter option, and filter for the RuleID or DisplayName of the detection. For example:

% panther_analysis_tool test --filter RuleID="Name of Detection Here"
# or
% panther_analysis_tool test --filter DisplayName="Name of Detection Here"

For more information about filtering with PAT, check out the readme here.