airbnb/streamalert

[RFC] update test framework for 1:1 testing of rules to events

ryandeivert opened this issue · 0 comments

Background

Having integration tests that designate more than one trigger_rules can make adding new integration tests annoyingly complicated. For instance, if a new test file is added that inadvertently triggers a rule that the user is not expecting it to trigger, they either need to add the other rule to the trigger_rules list or hack the test event to not trigger the other rule(s).

Steps to Reproduce

Add any test event that could trigger multiple rules and leave the other rules out of the trigger_rules list.

Desired Change

Devise mechanism to map test events directly to one rule only. Deprecate the usage of trigger_rules in favor of something .. simpler (?). Potentially implement this as rules and not_rules.. where not_rules would be an explicit list of rule the test event should not trigger (to test false positives)