Skip to content

Fix TOML transform sections for Tomlet / docs-builder#5931

Open
Mpdreamz wants to merge 4 commits intoelastic:mainfrom
Mpdreamz:fix/tomlet-transform-investigate-toml
Open

Fix TOML transform sections for Tomlet / docs-builder#5931
Mpdreamz wants to merge 4 commits intoelastic:mainfrom
Mpdreamz:fix/tomlet-transform-investigate-toml

Conversation

@Mpdreamz
Copy link
Copy Markdown
Member

@Mpdreamz Mpdreamz commented Apr 8, 2026

Tomlet requires an explicit [transform] table before [[transform.investigate]] array tables. Rules that placed [[transform.investigate]] after [rule] without [transform] broke the documentation build (MissingIntermediateInTomlTableArraySpecException).

Move [transform] and all [[transform.investigate]] blocks to immediately after [metadata], consistent with other rules (e.g. command_and_control_common_webservices).

Update updated_date on touched rules.

Made-with: Cursor

Pull Request

Issue link(s):

Summary - What I changed

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@Mpdreamz
Fix TOML transform sections for Tomlet / docs-builder
d2e695d 
Tomlet requires an explicit [transform] table before [[transform.investigate]]
array tables. Rules that placed [[transform.investigate]] after [rule] without
[transform] broke the documentation build (MissingIntermediateInTomlTableArraySpecException).

Move [transform] and all [[transform.investigate]] blocks to immediately after
[metadata], consistent with other rules (e.g. command_and_control_common_webservices).

Update updated_date on touched rules.

Made-with: Cursor
@botelastic botelastic Bot added Domain: Endpoint OS: Windows windows related rules labels Apr 8, 2026
w0rk3r
w0rk3r reviewed Apr 8, 2026
View reviewed changes
Comment thread rules/windows/collection_posh_audio_capture.toml
Mpdreamz added 2 commits April 9, 2026 11:09
@Mpdreamz
Fix Tomlet TOML: [transform] after metadata
02f6d54 
Place [transform] and [[transform.investigate]] immediately after [metadata]
and before [rule], with an explicit [transform] header before investigate blocks.
Matches patterns like command_and_control_common_webservices.toml and satisfies
Tomlet (avoids MissingIntermediateInTomlTableArraySpecException).

Update updated_date on touched rules.

Made-with: Cursor
@Mpdreamz
Reorder rule above transform
04e64e3
@Mpdreamz Mpdreamz requested a review from w0rk3r April 9, 2026 09:12
@eric-forte-elastic
Copy link
Copy Markdown
Contributor

eric-forte-elastic commented Apr 10, 2026

Just checking @Mpdreamz , does it make sense to have this change the format of the TOML files? Given that the TOML does not provide/enforce key ordering, might that still make it prone to produce the error even with this change?

@Mpdreamz
Copy link
Copy Markdown
Member Author

Mpdreamz commented Apr 21, 2026

@eric-forte-elastic I can chase this separately in my upstream TOML parser but can we unblock the docs for now?

@Mpdreamz
Merge origin/main into fix/tomlet-transform-investigate-toml
43e952a 
Resolve updated_date conflicts: keep 2026/04/08 on touched rules.

Made-with: Cursor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

Requested changes must be addressed to merge this pull request.

Assignees

@Mpdreamz Mpdreamz

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Mpdreamz @eric-forte-elastic @w0rk3r @Mikaayenson