Unit Tests

D&R Rules Unit Tests

A D&R rule record can optionally contain unit tests. These tests describe events that should match, and events that should not match. When a D&R rule is updated or created, LimaCharlie will simulate the rules and if the tests fail, an error is produced.

Structure

A typical D&R rule looks like:

{
  "detect": {...},
  "respond": [
    {},
    {}
  ],
  "tests": {
    "match": [],
    "non_match": []
  }
}

The match and non_match both have the same format: they contain a list of lists of events. Each top list element is a unit test, and the content of a test is a list of events as would be seen by LimaCharlie. The reason for the test to be a list is to accomodate for Stateful Detections which operate across multiple events.

Here’s an example:

{
  "tests": {
    "match": [
      [{"event": ...}, {"event": ...}, {"event": ...}],
      [{"event": ...}],
      [{"event": ...}]
    ],
    "non_match": [
      [{"event": ...}, {"event": ...}],
      [{"event": ...}]
    ]
  }
}