From 0afe7715f07bb17f471bd48cd3b1162e2996bb69 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Tue, 9 Jan 2024 10:59:01 -0500
Subject: [PATCH] [FR] Update _event_sort to use datetime instead of time
 (#3375)

* Update _event_sort to use datetime

* remove unused time

* added type hints

(cherry picked from commit 6170db623179daf24e3f56e3838d9eab5f69961f)
---
 detection_rules/utils.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/detection_rules/utils.py b/detection_rules/utils.py
index 265742c52..19e265170 100644
--- a/detection_rules/utils.py
+++ b/detection_rules/utils.py
@@ -16,7 +16,6 @@ import json
 import os
 import shutil
 import subprocess
-import time
 import zipfile
 from dataclasses import is_dataclass, astuple
 from datetime import datetime, date
@@ -215,12 +214,12 @@ def event_sort(events, timestamp='@timestamp', date_format='%Y-%m-%dT%H:%M:%S.%f
 
         return t
 
-    def _event_sort(event):
-        """Calculates the sort key for an event."""
+    def _event_sort(event: dict) -> datetime:
+        """Calculates the sort key for an event as a datetime object."""
         t = round_microseconds(event[timestamp])
 
-        # Return the timestamp in seconds, adjusted for microseconds and then scaled to milliseconds
-        return (time.mktime(time.strptime(t, date_format)) + int(t.split('.')[-1][:-1]) / 1000) * 1000
+        # Return the timestamp as a datetime object for comparison
+        return datetime.strptime(t, date_format)
 
     return sorted(events, key=_event_sort, reverse=not asc)