ti feed data to doc level query convertor logic added

src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java

@@ -0,0 +1,39 @@
+package org.opensearch.securityanalytics.threatIntel;
+
+import org.opensearch.commons.alerting.model.DocLevelQuery;
+import org.opensearch.securityanalytics.model.ThreatIntelFeedData;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+
+public class DetectorThreatIntelService {
+
+    /** Convert the feed data IOCs into query string query format to create doc level queries. */
+    public static DocLevelQuery createDocLevelQueryFromThreatIntelList(
+            List<ThreatIntelFeedData> tifdList, String docLevelQueryId
+            ) {
+        Set<String> iocs = tifdList.stream().map(ThreatIntelFeedData::getIocValue).collect(Collectors.toSet());
+        String query = buildQueryStringQueryWithIocList(iocs);
+        return new DocLevelQuery(
+                docLevelQueryId,tifdList.get(0).getFeedId(), query,
+                Collections.singletonList("threat_intel")
+        );
+    }
+
+    private static String buildQueryStringQueryWithIocList(Set<String> iocs) {
+        StringBuilder sb = new StringBuilder();
+
+        for(String ioc : iocs) {
+            if(sb.length() != 0) {
+                sb.append(" ");
+            }
+            sb.append("(");
+            sb.append(ioc);
+            sb.append(")");
+        }
+        return sb.toString();
+    }
+}

src/main/java/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.java

@@ -29,7 +29,7 @@
 public class ThreatIntelFeedDataService {
     private static final Logger log = LogManager.getLogger(FindingsService.class);
 
-    public void getThreatIntelFeedData(ClusterState state, Client client, IndexNameExpressionResolver indexNameExpressionResolver,
+    public static void getThreatIntelFeedData(ClusterState state, Client client, IndexNameExpressionResolver indexNameExpressionResolver,
                                        String feedName, String iocType,
                                        ActionListener<List<ThreatIntelFeedData>> listener, NamedXContentRegistry xContentRegistry) {
         String indexPattern = String.format(".opendsearch-sap-threatintel-%s*", feedName);
@@ -46,7 +46,7 @@ public void getThreatIntelFeedData(ClusterState state, Client client, IndexNameE
         }));
     }
 
-    private List<ThreatIntelFeedData> getTifdList(SearchResponse searchResponse, NamedXContentRegistry xContentRegistry) {
+    private static List<ThreatIntelFeedData> getTifdList(SearchResponse searchResponse, NamedXContentRegistry xContentRegistry) {
         List<ThreatIntelFeedData> list = new ArrayList<>();
         if (searchResponse.getHits().getHits().length != 0) {
             Arrays.stream(searchResponse.getHits().getHits()).forEach(hit -> {

src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java

@@ -645,6 +645,9 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
             DocLevelQuery docLevelQuery = new DocLevelQuery(id, name, actualQuery, tags);
             docLevelQueries.add(docLevelQuery);
         }
+        if(detector.getThreatIntelEnabled()) {
+            DetectorThreatIntelService
+        }
         DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
         docLevelMonitorInputs.add(docLevelMonitorInput);