CLI
Last updated
Was this helpful?
Last updated
Was this helpful?
Scanner provides a Python CLI for validating and running tests on YAML files to aid in writing detection rules.
To install the :
You will need to provide the API URL of your Scanner instance and an API key. Go to Settings > API Keys to find your API URL and API key.
You can either set these values as environment variables:
or provide them as arguments to the CLI:
To validate files:
To validate directories:
Only YAML files with the correct schema header will be validated. Multiple files or directories can be provided. To recursively search through directories, use the recursive flag -r
.
To run detection rule tests on files:
To run detection rule tests on directories:
This will only run tests on YAML files with the correct schema header. Multiple files or directories can be provided. To recursively search through directories, use the recursive flag -r
.
Tests fail if:
The expected_detection_result
is true and the provided log events do not trigger a detection in the specified time window
The expected_detection_result
is false and the provided log events trigger a detection in the specified time window
Tips for debugging failed tests:
Check that the log events are hits for query_text
Check that the log events have timestamps that fall in the time window specified by now_timestamp
, time_range_s
, and run_frequency_s
If now_timestamp
is not provided, the timestamp of the latest log event is used. In both cases, the timestamps are rounded to the next run_frequency_s
.
Example: if time_range_s
is 600 seconds, run_frequency_s
is 60 seconds, and now_timestamp
is 2024-07-05T10:15:00.000Z
, the time window specified is 2024-07-05T10:05:00.000Z
to 2024-07-05T10:15:00.000Z
. Log events must have timestamps in this time window in order to trigger an alert.
validate
checks that the specified files are valid Scanner detection rule files. After validating files, use to check that all tests pass before syncing to Scanner.