Currently, the tests for a detection are tests that PASS if the log is found using the provided detection' search. This is great to test that the rule matches when it's supposed to match, but it cannot test the exclusions to a rule.
Proposal: Introduce the concept of test "types": "should trigger" and "should not trigger".
The behavior is very simple:
For a should trigger test: If the detection' search finds a log, the test PASSES. Else it FAILS.
For a should not trigger test: If the detection' search finds a log, the test FAILS. Else it PASSES.
I can work on this feature and contribute it to upstream. If this is not something you want, we'll keep it in our private fork.
Currently, the tests for a detection are tests that PASS if the log is found using the provided detection' search. This is great to test that the rule matches when it's supposed to match, but it cannot test the exclusions to a rule.
Proposal: Introduce the concept of test "types": "should trigger" and "should not trigger".
The behavior is very simple:
I can work on this feature and contribute it to upstream. If this is not something you want, we'll keep it in our private fork.