diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index bb4cb485d..53f53c209 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -7,6 +7,7 @@ import copy import dataclasses import io +import json import textwrap import typing from collections import OrderedDict @@ -148,6 +149,21 @@ def toml_write(rule_contents, outfile=None): contents = copy.deepcopy(rule_contents) needs_close = False + def order_rule(obj): + if isinstance(obj, dict): + obj = OrderedDict(sorted(obj.items())) + for k, v in obj.items(): + if isinstance(v, dict) or isinstance(v, list): + obj[k] = order_rule(v) + + if isinstance(obj, list): + for i, v in enumerate(obj): + if isinstance(v, dict) or isinstance(v, list): + obj[i] = order_rule(v) + obj = sorted(obj, key=lambda x: json.dumps(x)) + + return obj + def _do_write(_data, _contents): query = None @@ -203,6 +219,7 @@ def toml_write(rule_contents, outfile=None): for data in ('metadata', 'rule'): _contents = contents.get(data, {}) + order_rule(_contents) _do_write(data, _contents) finally: diff --git a/etc/test_toml.json b/etc/test_toml.json index a00def714..c98d5ef90 100644 --- a/etc/test_toml.json +++ b/etc/test_toml.json @@ -63,12 +63,12 @@ "for": "testing", "and": [ [ - "nested", - "fields" + "fields", + "nested" ], [ - "too", - "!" + "!", + "too" ] ] }, @@ -102,12 +102,12 @@ "four": { "five": [ [ - 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111, - 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222, - 333333333333333333333333333333333333333333333333333333333333333333 + 1, + 22, + 333 ], [[4], [5], [6]], - [["seven"], ["nine"], ["eleven"], [12, 13, 14]] + [["a"], ["b"], ["c"], [12, 13, 14]] ] } } @@ -116,4 +116,4 @@ } } } -] \ No newline at end of file +]