fix keywords bug and add comments (#964)

Signed-off-by: Joanne Wang <jowg@amazon.com>
opensearch-project · Apr 4, 2024 · e37b053 · e37b053
1 parent 88140d1
commit e37b053
Showing 1 changed file with 16 additions and 8 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -329,21 +329,35 @@ public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpre
         return null;
     }*/
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaString type
+     * Ex:
+     *  condition: selection_1
+     *  selection1:
+     *      - keyword1
+     */
     @Override
     public Object convertConditionValStr(ConditionValueExpression condition) throws SigmaValueError {
-        String field = getFinalValueField();
-        ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
         SigmaString value = (SigmaString) condition.getValue();
         boolean containsWildcard = value.containsWildcard();
         return String.format(Locale.getDefault(), (containsWildcard? this.unboundWildcardExpression: this.unboundValueStrExpression),
                 this.convertValueStr((SigmaString) condition.getValue()));
     }
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaNumber type
+     */
     @Override
     public Object convertConditionValNum(ConditionValueExpression condition) {
         return String.format(Locale.getDefault(), this.unboundValueNumExpression, condition.getValue().toString());
     }
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaRegularExpression type
+     */
     @Override
     public Object convertConditionValRe(ConditionValueExpression condition) {
         return String.format(Locale.getDefault(), this.unboundReExpression, convertValueRe((SigmaRegularExpression) condition.getValue()));
@@ -448,12 +462,6 @@ private String getFinalField(String field) {
         return this.getMappedField(field);
     }
 
-    private String getFinalValueField() {
-        String field = "_" + valExpCount;
-        valExpCount++;
-        return field;
-    }
-
     public static class AggregationQueries implements Writeable, ToXContentObject {
         private static final String AGG_QUERY = "aggQuery";
         private static final String BUCKET_TRIGGER_QUERY = "bucketTriggerQuery";