Support toml lint for investigate transforms (#4066)

detection_rules/etc/test_cli.bash

@@ -28,6 +28,9 @@ python -m detection_rules dev schemas update-rule-data
 echo "Validating rule: execution_github_new_event_action_for_pat.toml"
 python -m detection_rules validate-rule rules_building_block/execution_github_new_event_action_for_pat.toml
 
+echo "Linting Rule: command_and_control_common_webservices.toml"
+python -m detection_rules toml-lint -f rules/windows/command_and_control_common_webservices.toml
+
 echo "Checking licenses"
 python -m detection_rules dev license-check
 

detection_rules/etc/test_toml.json

@@ -115,5 +115,52 @@
         }
       }
     }
+  },
+  {
+    "metadata": {
+      "just": "some",
+      "flat": "fields",
+      "for": "testing"
+    },
+    "transform": {
+        "osquery": [
+            {
+                "label": "some label",
+                "query": "some query"
+            },
+            {
+              "label": "some label",
+              "query": "some query"
+            },
+            {
+              "label": "some label",
+              "query": "some query"
+            }
+        ],
+        "investigate": [
+            {
+                "label": "some label",
+                "relativeFrom": "now-48h/h",
+                "relativeTo": "now",
+                "providers": [
+                    [
+                        {"field": "event.kind", "excluded": false, "queryType": "phrase", "value": "signal", "valueType": "string"},
+                        {"field": "user.id", "excluded": false, "queryType": "phrase", "value": "{{user.id}}", "valueType": "string"}
+                    ]
+                ]
+            },
+            {
+                "label": "some label",
+                "relativeFrom": "now-48h/h",
+                "relativeTo": "now",
+                "providers": [
+                    [
+                        {"field": "event.kind", "excluded": false, "queryType": "phrase", "value": "signal", "valueType": "string"},
+                        {"field": "host.name", "excluded": false, "queryType": "phrase", "value": "{{host.name}}", "valueType": "string"}
+                    ]
+                ]
+            }
+        ]
+    }
   }
 ]

detection_rules/rule_formatter.py

@@ -160,6 +160,14 @@ class RuleTomlEncoder(toml.TomlEncoder):
                 else:
                     dump.append(' ' * 4 + self.dump_value(item))
             return '[\n{},\n]'.format(',\n'.join(dump))
+
+        if all(isinstance(i, dict) for i in v):
+            # Compact inline format for lists of dictionaries with proper indentation
+            retval = "\n" + ' ' * 2 + "[\n"
+            retval += ",\n".join([' ' * 4 + self.dump_inline_table(u).strip() for u in v])
+            retval += "\n" + ' ' * 2 + "]\n"
+            return retval
+
         return self._dump_flat_list(v)