From 63705cdccb8d56e9ecce40edebdce0e0c56bf669 Mon Sep 17 00:00:00 2001
From: Julien Doutre <julien.doutre@datadoghq.com>
Date: Tue, 21 Dec 2021 12:17:13 +0100
Subject: [PATCH] Comments

---
 tools/sigma/backends/datadog.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/sigma/backends/datadog.py b/tools/sigma/backends/datadog.py
index 8b86450a3..80d6f880b 100644
--- a/tools/sigma/backends/datadog.py
+++ b/tools/sigma/backends/datadog.py
@@ -32,6 +32,8 @@ class DatadogLogsBackend(SingleTextQueryBackend):
     notToken = "-"
     subExpression = "(%s)"
     listExpression = "(%s)"
+    # List selection items are linked with a logical 'OR' per the Sigma specification:
+    # https://github.com/SigmaHQ/sigma/wiki/Specification#lists.
     listSeparator = " OR "
     valueExpression = "%s"
     mapExpression = "%s:%s"
@@ -92,7 +94,15 @@ class DatadogLogsBackend(SingleTextQueryBackend):
         if type(val) == int:
             return val
         else:
+            # Whitespaces characters are replaced with a `?`.
+            # Datadog also supports escaping whitespaces by double quoting
+            # expression, but at the cost of losing the `*` pattern matching
+            # syntax that we wanted to preserve.
+            # Note that technically, `?` matches  **any** single character.
             return self.whitespacesRegexp.sub(
+                # Special characters are escaped with a `\` which requires to be escaped
+                # in Python as well (see https://docs.python.org/3/library/re.html).
+                # This explains the unusual number of `\` in the following regex definition.
                 "?", self.specialCharactersRegexp.sub("\\\\\g<1>", val)
             )