From a2731de2cbe3828053b6f30d5f049f7aee79915c Mon Sep 17 00:00:00 2001
From: Surya Sashank Nistala <snistala@amazon.com>
Date: Tue, 21 Nov 2023 11:01:30 -0800
Subject: [PATCH] fix null query filter conversion from sigma to query string
 query

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
---
 .../securityanalytics/rules/backend/OSQueryBackend.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
index 7e0be9ddc..9aca41a80 100644
--- a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
+++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -131,7 +131,7 @@ public OSQueryBackend(Map<String, String> fieldMappings, boolean collectErrors,
         this.reEscapeChar = "\\";
         this.reExpression = "%s: /%s/";
         this.cidrExpression = "%s: \"%s\"";
-        this.fieldNullExpression = "%s: null";
+        this.fieldNullExpression = "%s: (NOT [* TO *])";
         this.unboundValueStrExpression = "%s: \"%s\"";
         this.unboundValueNumExpression = "%s: %s";
         this.unboundWildcardExpression = "%s: %s";