cleanup code

Signed-off-by: Joanne Wang <[email protected]>

src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java

@@ -4,8 +4,6 @@
  */
 package org.opensearch.securityanalytics.rules.backend;
 
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchParseException;
 import org.opensearch.common.UUIDs;
 import org.opensearch.core.common.bytes.BytesReference;
@@ -286,7 +284,7 @@ public Object convertConditionNot(ConditionNOT condition, boolean isConditionNot
     @Override
     public Object convertExistsField(ConditionFieldEqualsValueExpression condition) {
         String field = getFinalField(condition.getField());
-        return String.format(Locale.getDefault(),tokenSeparator + this.andToken + this.tokenSeparator + this.existsToken + this.eqToken + " _exists_" + field);
+        return String.format(Locale.getDefault(),tokenSeparator + this.andToken + this.tokenSeparator + this.existsToken + this.eqToken + this.tokenSeparator + this.existsToken + field);
     }
 
     @Override

src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java

@@ -4,8 +4,6 @@
  */
 package org.opensearch.securityanalytics.rules.backend;
 
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import org.opensearch.securityanalytics.rules.aggregation.AggregationItem;
 import org.opensearch.securityanalytics.rules.backend.OSQueryBackend.AggregationQueries;
 import org.opensearch.securityanalytics.rules.condition.ConditionAND;
@@ -31,12 +29,22 @@
 import org.opensearch.securityanalytics.rules.utils.AnyOneOf;
 import org.opensearch.securityanalytics.rules.utils.Either;
 import org.apache.commons.lang3.tuple.Pair;
-
-import java.util.*;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
 
 public abstract class QueryBackend {
-
-    private static final Logger log = LogManager.getLogger(QueryBackend.class);
     private boolean convertOrAsIn;
     private boolean convertAndAsIn;
     private boolean collectErrors;
@@ -85,8 +93,6 @@ public List<Object> convertRule(SigmaRule rule) throws SigmaError {
                     query = this.convertCondition(new ConditionType(Either.right(Either.right((ConditionValueExpression) conditionItem))), false, false);
                 }
                 queries.add(query);
-//                log.debug("converted query");
-//                log.debug(query);
                 if (aggItem != null) {
                     aggItem.setTimeframe(rule.getDetection().getTimeframe());
                     queries.add(convertAggregation(aggItem));
@@ -120,7 +126,7 @@ public Object convertCondition(ConditionType conditionType, boolean isConditionN
         } else if (conditionType.isConditionNOT()) {
             return this.convertConditionNot(conditionType.getConditionNOT(), isConditionNot, applyDeMorgans);
         } else if (conditionType.isEqualsValueExpression()) {
-            // add a check to see if it should be done, then call another method to add them together else, return as normal BUT the check needs to see if top parent is NOT
+            // check to see if conditionNot is an ancestor of the parse tree, otherwise return as normal
             if (isConditionNot) {
                 return this.convertConditionFieldEqValNot(conditionType, isConditionNot, applyDeMorgans);
             } else {
@@ -134,18 +140,8 @@ public Object convertCondition(ConditionType conditionType, boolean isConditionN
     }
 
     public String convertConditionFieldEqValNot(ConditionType conditionType, boolean isConditionNot, boolean applyDeMorgans) throws SigmaValueError {
-//        String baseString;
-//        String exprWithDeMorgansApplied = "NOT " + "%s";
-//        if (applyDeMorgans) {
-//            baseString = String.format(Locale.getDefault(), exprWithDeMorgansApplied, this.convertConditionFieldEqVal(conditionType.getEqualsValueExpression(), isConditionNot, applyDeMorgans).toString());
-//        } else {
-//            baseString = this.convertConditionFieldEqVal(conditionType.getEqualsValueExpression(), isConditionNot, applyDeMorgans).toString();
-//        }
-
         String baseString = this.convertConditionFieldEqVal(conditionType.getEqualsValueExpression(), isConditionNot, applyDeMorgans).toString();
         String addExists = this.convertExistsField(conditionType.getEqualsValueExpression()).toString();
-//        log.error("I AM HERE");
-//        log.error(String.format(Locale.getDefault(), ("%s" + "%s"), baseString, addExists));
         return String.format(Locale.getDefault(), ("%s" + "%s"), baseString, addExists);
     }
 

src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java

@@ -35,7 +35,18 @@
 import org.opensearch.securityanalytics.model.DetectorRule;
 import org.opensearch.securityanalytics.model.DetectorTrigger;
 
-import static org.opensearch.securityanalytics.TestHelpers.*;
+import static org.opensearch.securityanalytics.TestHelpers.netFlowMappings;
+import static org.opensearch.securityanalytics.TestHelpers.randomAction;
+import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType;
+import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndThreatIntel;
+import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndTriggers;
+import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithTriggers;
+import static org.opensearch.securityanalytics.TestHelpers.randomDoc;
+import static org.opensearch.securityanalytics.TestHelpers.randomDocWithIpIoc;
+import static org.opensearch.securityanalytics.TestHelpers.randomNetworkDoc;
+import static org.opensearch.securityanalytics.TestHelpers.randomIndex;
+import static org.opensearch.securityanalytics.TestHelpers.randomRule;
+import static org.opensearch.securityanalytics.TestHelpers.windowsIndexMapping;
 import static org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings.ALERT_HISTORY_INDEX_MAX_AGE;
 import static org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings.ALERT_HISTORY_MAX_DOCS;
 import static org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings.ALERT_HISTORY_RETENTION_PERIOD;

src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java

@@ -6,11 +6,19 @@
 package org.opensearch.securityanalytics.findings;
 
 import java.io.IOException;
-import java.util.*;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.HashSet;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.stream.Collectors;
 
 import org.apache.hc.core5.http.HttpStatus;
 import org.junit.Assert;
+import org.junit.Ignore;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
@@ -658,6 +666,8 @@ public void testCreateDetectorWithNotCondition_verifyFindingsAndNoFindings_succe
 
         // Verify findings
         indexDoc(index, "1", randomDoc(2, 5, "Test"));
+        indexDoc(index, "2", randomDocForNotCondition(2, 5, "Test"));
+        indexDoc(index, "3", randomDocForNotCondition(2, 5, "Test"));
         indexDoc(index, "4", randomDoc(2, 5, "Test"));
 
         Response executeResponse = executeAlertingMonitor(monitorId, Collections.emptyMap());

src/test/java/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.java

@@ -756,21 +756,16 @@ public void testConvertNotComplicatedExpression() throws IOException, SigmaError
                         "                selection1:\n" +
                         "                    CommandLine|endswith: '.cpl'\n" +
                         "                filter:\n" +
-                        "                    CommandLine|contains\n" +
+                        "                    CommandLine|contains:\n" +
                         "                        - '\\System32\\'\n" +
                         "                        - '%System%'\n" +
                         "                fp1_igfx:\n" +
                         "                    CommandLine|contains|all:\n" +
                         "                        - 'regsvr32 '\n" +
                         "                        - ' /s '\n" +
                         "                        - 'igfxCPL.cpl'\n" +
-                        "                selection2:\n" +
-                        "                    Image|endswith: '\\reg.exe'\n" +
-                        "                    CommandLine|contains: 'add'\n" +
-                        "                selection3:\n" +
-                        "                    CommandLine|contains: 'CurrentVersion\\Control Panel\\CPLs'\n" +
-                        "                condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3)", false));
-        Assert.assertEquals("(((NOT Opcode: \"Info\" AND _exists_: _exists_Opcode) AND (NOT Severity: \"value2\" AND _exists_: _exists_Severity)))", queries.get(0).toString());
+                        "                condition: selection1 and not filter and not fp1_igfx", false));
+        Assert.assertEquals("((CommandLine: *.cpl) AND ((((NOT CommandLine: *\\\\System32\\\\* AND _exists_: _exists_CommandLine) AND (NOT CommandLine: *%System%* AND _exists_: _exists_CommandLine))))) AND ((((NOT CommandLine: *regsvr32_ws_* AND _exists_: _exists_CommandLine) OR (NOT CommandLine: *_ws_\\/s_ws_* AND _exists_: _exists_CommandLine) OR (NOT CommandLine: *igfxCPL.cpl* AND _exists_: _exists_CommandLine))))", queries.get(0).toString());
     }
 
     public void testConvertNotWithAnd() throws IOException, SigmaError {