fix keywords bug and add comments (#964)

Signed-off-by: Joanne Wang <[email protected]>
opensearch-project · Apr 4, 2024 · 4aea86c · 4aea86c
1 parent 2d10915
commit 4aea86c
Showing 1 changed file with 16 additions and 8 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -329,20 +329,34 @@ public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpre
  return null;
  }*/
 
+ /**
+ * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+ * is a SigmaString type
+ * Ex:
+ * condition: selection_1
+ * selection1:
+ * - keyword1
+ */
  @Override
  public Object convertConditionValStr(ConditionValueExpression condition) throws SigmaValueError {
- String field = getFinalValueField();
- ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
  SigmaString value = (SigmaString) condition.getValue();
  boolean containsWildcard = value.containsWildcard();
  return String.format(Locale.getDefault(), (containsWildcard? this.unboundWildcardExpression: this.unboundValueStrExpression), this.convertValueStr((SigmaString) condition.getValue()));
  }
 
+ /**
+ * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+ * is a SigmaNumber type
+ */
  @Override
  public Object convertConditionValNum(ConditionValueExpression condition) {
  return String.format(Locale.getDefault(), this.unboundValueNumExpression, condition.getValue().toString());
  }
 
+ /**
+ * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+ * is a SigmaRegularExpression type
+ */
  @Override
  public Object convertConditionValRe(ConditionValueExpression condition) {
  return String.format(Locale.getDefault(), this.unboundReExpression, convertValueRe((SigmaRegularExpression) condition.getValue()));
@@ -444,12 +458,6 @@ private String getFinalField(String field) {
  return field;
  }
 
- private String getFinalValueField() {
- String field = "_" + valExpCount;
- valExpCount++;
- return field;
- }
-
  public static class AggregationQueries implements Writeable, ToXContentObject {
  private static final String AGG_QUERY = "aggQuery";
  private static final String BUCKET_TRIGGER_QUERY = "bucketTriggerQuery";