From c7d595b5698e055ca426bcfad26d52bdd00cfa0f Mon Sep 17 00:00:00 2001
From: Surya Sashank Nistala <snistala@amazon.com>
Date: Tue, 3 Oct 2023 14:55:11 -0700
Subject: [PATCH] ti feed data to doc level query convertor logic added

---
 .../DetectorThreatIntelService.java           | 39 +++++++++++++++++++
 .../ThreatIntelFeedDataService.java           |  4 +-
 .../TransportIndexDetectorAction.java         |  3 ++
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java

diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java
new file mode 100644
index 000000000..604d4e983
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java
@@ -0,0 +1,39 @@
+package org.opensearch.securityanalytics.threatIntel;
+
+import org.opensearch.commons.alerting.model.DocLevelQuery;
+import org.opensearch.securityanalytics.model.ThreatIntelFeedData;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+
+public class DetectorThreatIntelService {
+
+    /** Convert the feed data IOCs into query string query format to create doc level queries. */
+    public static DocLevelQuery createDocLevelQueryFromThreatIntelList(
+            List<ThreatIntelFeedData> tifdList, String docLevelQueryId
+            ) {
+        Set<String> iocs = tifdList.stream().map(ThreatIntelFeedData::getIocValue).collect(Collectors.toSet());
+        String query = buildQueryStringQueryWithIocList(iocs);
+        return new DocLevelQuery(
+                docLevelQueryId,tifdList.get(0).getFeedId(), query,
+                Collections.singletonList("threat_intel")
+        );
+    }
+
+    private static String buildQueryStringQueryWithIocList(Set<String> iocs) {
+        StringBuilder sb = new StringBuilder();
+
+        for(String ioc : iocs) {
+            if(sb.length() != 0) {
+                sb.append(" ");
+            }
+            sb.append("(");
+            sb.append(ioc);
+            sb.append(")");
+        }
+        return sb.toString();
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.java
index 60c4d7c66..9c12fdef7 100644
--- a/src/main/java/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.java
+++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.java
@@ -29,7 +29,7 @@
 public class ThreatIntelFeedDataService {
     private static final Logger log = LogManager.getLogger(FindingsService.class);
 
-    public void getThreatIntelFeedData(ClusterState state, Client client, IndexNameExpressionResolver indexNameExpressionResolver,
+    public static void getThreatIntelFeedData(ClusterState state, Client client, IndexNameExpressionResolver indexNameExpressionResolver,
                                        String feedName, String iocType,
                                        ActionListener<List<ThreatIntelFeedData>> listener, NamedXContentRegistry xContentRegistry) {
         String indexPattern = String.format(".opendsearch-sap-threatintel-%s*", feedName);
@@ -46,7 +46,7 @@ public void getThreatIntelFeedData(ClusterState state, Client client, IndexNameE
         }));
     }
 
-    private List<ThreatIntelFeedData> getTifdList(SearchResponse searchResponse, NamedXContentRegistry xContentRegistry) {
+    private static List<ThreatIntelFeedData> getTifdList(SearchResponse searchResponse, NamedXContentRegistry xContentRegistry) {
         List<ThreatIntelFeedData> list = new ArrayList<>();
         if (searchResponse.getHits().getHits().length != 0) {
             Arrays.stream(searchResponse.getHits().getHits()).forEach(hit -> {
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
index ae2afc1f3..d5863caf4 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -648,6 +648,9 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
             DocLevelQuery docLevelQuery = new DocLevelQuery(id, name, Collections.emptyList(), actualQuery, tags);
             docLevelQueries.add(docLevelQuery);
         }
+        if(detector.getThreatIntelEnabled()) {
+            DetectorThreatIntelService
+        }
         DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
         docLevelMonitorInputs.add(docLevelMonitorInput);