From 0507239054d238dac1e9cf53cfde488aeb4be1c2 Mon Sep 17 00:00:00 2001
From: Joanne Wang <jowg@amazon.com>
Date: Wed, 3 Apr 2024 16:52:48 -0700
Subject: [PATCH] fix keywords bug and add comments (#964)

Signed-off-by: Joanne Wang <jowg@amazon.com>
---
 .../rules/backend/OSQueryBackend.java         | 24 ++++++++++++-------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
index 50d452f6b..81ec0fcb4 100644
--- a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
+++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -381,10 +381,16 @@ public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpre
         return null;
     }*/
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaString type
+     * Ex:
+     *  condition: selection_1
+     *  selection1:
+     *      - keyword1
+     */
     @Override
     public Object convertConditionValStr(ConditionValueExpression condition, boolean applyDeMorgans) throws SigmaValueError {
-        String field = getFinalValueField();
-        ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
         SigmaString value = (SigmaString) condition.getValue();
         boolean containsWildcard = value.containsWildcard();
         String exprWithDeMorgansApplied = this.notToken + " " + "%s";
@@ -397,6 +403,10 @@ public Object convertConditionValStr(ConditionValueExpression condition, boolean
         return conditionValStr;
     }
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaNumber type
+     */
     @Override
     public Object convertConditionValNum(ConditionValueExpression condition, boolean applyDeMorgans) {
         String exprWithDeMorgansApplied = this.notToken + " " + "%s";
@@ -407,6 +417,10 @@ public Object convertConditionValNum(ConditionValueExpression condition, boolean
         return conditionValNum;
     }
 
+    /**
+     * Method used when structure of Sigma Rule does not have a field associated with the condition item and the value
+     * is a SigmaRegularExpression type
+     */
     @Override
     public Object convertConditionValRe(ConditionValueExpression condition, boolean applyDeMorgans) {
         String exprWithDeMorgansApplied = this.notToken + " " + "%s";
@@ -516,12 +530,6 @@ private String getFinalField(String field) {
         return this.getMappedField(field);
     }
 
-    private String getFinalValueField() {
-        String field = "_" + valExpCount;
-        valExpCount++;
-        return field;
-    }
-
     public static class AggregationQueries implements Writeable, ToXContentObject {
         private static final String AGG_QUERY = "aggQuery";
         private static final String BUCKET_TRIGGER_QUERY = "bucketTriggerQuery";