From 293d4279ff4d1cae7a4ef627de7e0a4dd4327a0c Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Mon, 13 May 2024 15:00:01 -0400
Subject: [PATCH] [Bug] Update Rule Formatter (#3668)

* Update Rule Formatter

* Only apply fix to Note

(cherry picked from commit 094ef22604d888ea2508b0b0be4dd3748a9ea469)
---
 detection_rules/rule_formatter.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py
index c1fa33ac0bc..8bbab64098e 100644
--- a/detection_rules/rule_formatter.py
+++ b/detection_rules/rule_formatter.py
@@ -216,6 +216,11 @@ def _do_write(_data, _contents):
                 preserved_fields = ["params.message"]
                 v = [preserve_formatting_for_fields(action, preserved_fields) for action in v]
 
+            if k == 'note' and isinstance(v, str):
+                # Transform instances of \ to \\ as calling write will convert \\ to \.
+                # This will ensure that the output file has the correct number of backslashes.
+                v = v.replace("\\", "\\\\")
+
             if isinstance(v, dict):
                 bottom[k] = OrderedDict(sorted(v.items()))
             elif isinstance(v, list):