add tests for detector creation and updation with threat intel

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>

src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java

@@ -1052,7 +1052,7 @@ public void testCreateDetector_verifyWorkflowCreation_success_WithoutGroupByRule
         verifyWorkflow(detectorMap, monitorIds, 2);
     }
 
-    public void testCreateDetectorWiththreatIntelEnabled_updateDetectorWithThreatIntelDisabled() throws IOException {
+    public void testCreateDetectorWithThreatIntelEnabled_updateDetectorWithThreatIntelDisabled() throws IOException {
 
         updateClusterSetting(ENABLE_WORKFLOW_USAGE.getKey(), "true");
         String index = createTestIndex(randomIndex(), windowsIndexMapping());
@@ -1136,14 +1136,109 @@ public void testCreateDetectorWiththreatIntelEnabled_updateDetectorWithThreatInt
         ArrayList<String> docs = (ArrayList<String>) docLevelQueryResults.get(threatIntelDocLevelQueryId);
         assertEquals(docs.size(), 3);
 
+        Response updateResponse = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), toHttpEntity(randomDetectorWithInputsAndThreatIntel(List.of(input), false)));
+
+        assertEquals("Update detector failed", RestStatus.OK, restStatus(updateResponse));
+
+        Map<String, Object> updateResponseBody = asMap(updateResponse);
+        for (String ioc : iocs) {
+            indexDoc(index, i+"", randomDocWithIpIoc(5, 3, ioc));
+            i++;
+        }
+
+        executeResponse = executeAlertingWorkflow(workflowId, Collections.emptyMap());
+
+        monitorRunResults = (List<Map<String, Object>>) entityAsMap(executeResponse).get("monitor_run_results");
+        assertEquals(1, monitorRunResults.size());
+
+        docLevelQueryResults = ((List<Map<String, Object>>) ((Map<String, Object>) monitorRunResults.get(0).get("input_results")).get("results")).get(0);
+        noOfSigmaRuleMatches = docLevelQueryResults.size();
+        assertEquals(1, noOfSigmaRuleMatches);
+    }
+
+    public void testCreateDetectorWiththreatIntelDisabled_updateDetectorWithThreatIntelEnabled() throws IOException {
+
+        updateClusterSetting(ENABLE_WORKFLOW_USAGE.getKey(), "true");
+        String index = createTestIndex(randomIndex(), windowsIndexMapping());
+
+        // Execute CreateMappingsAction to add alias mapping for index
+        Request createMappingRequest = new Request("POST", SecurityAnalyticsPlugin.MAPPER_BASE_URI);
+        // both req params and req body are supported
+        createMappingRequest.setJsonEntity(
+                "{ \"index_name\":\"" + index + "\"," +
+                        "  \"rule_topic\":\"" + randomDetectorType() + "\", " +
+                        "  \"partial\":true" +
+                        "}"
+        );
+
+        Response createMappingResponse = client().performRequest(createMappingRequest);
+
+        assertEquals(HttpStatus.SC_OK, createMappingResponse.getStatusLine().getStatusCode());
+
+        String testOpCode = "Test";
+
+        String randomDocRuleId = createRule(randomRule());
+        List<DetectorRule> detectorRules = List.of(new DetectorRule(randomDocRuleId));
+        DetectorInput input = new DetectorInput("windows detector for security analytics", List.of("windows"), detectorRules,
+                Collections.emptyList());
+        Detector detector = randomDetectorWithInputsAndThreatIntel(List.of(input), false);
+        Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector));
+
+        String request = "{\n" +
+                "   \"query\" : {\n" +
+                "     \"match_all\":{\n" +
+                "     }\n" +
+                "   }\n" +
+                "}";
+        SearchResponse response = executeSearchAndGetResponse(DetectorMonitorConfig.getRuleIndex(randomDetectorType()), request, true);
+
+
+        assertEquals(1, response.getHits().getTotalHits().value);
+
+        assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse));
+        Map<String, Object> responseBody = asMap(createResponse);
+
+        String detectorId = responseBody.get("_id").toString();
+        request = "{\n" +
+                "   \"query\" : {\n" +
+                "     \"match\":{\n" +
+                "        \"_id\": \"" + detectorId + "\"\n" +
+                "     }\n" +
+                "   }\n" +
+                "}";
+        List<SearchHit> hits = executeSearch(Detector.DETECTORS_INDEX, request);
+        SearchHit hit = hits.get(0);
+        Map<String, Object> detectorMap = (HashMap<String, Object>) (hit.getSourceAsMap().get("detector"));
+        List inputArr = (List) detectorMap.get("inputs");
+
+
+        List<String> monitorIds = ((List<String>) (detectorMap).get("monitor_id"));
+        assertEquals(1, monitorIds.size());
+
+        assertNotNull("Workflow not created", detectorMap.get("workflow_ids"));
+        assertEquals("Number of workflows not correct", 1, ((List<String>) detectorMap.get("workflow_ids")).size());
+
+        // Verify workflow
+        verifyWorkflow(detectorMap, monitorIds, 1);
+        indexDoc(index, "1", randomDoc(2, 4, "test"));
+        String workflowId = ((List<String>) detectorMap.get("workflow_ids")).get(0);
+
+        Response executeResponse = executeAlertingWorkflow(workflowId, Collections.emptyMap());
+
+        List<Map<String, Object>> monitorRunResults = (List<Map<String, Object>>) entityAsMap(executeResponse).get("monitor_run_results");
+        assertEquals(1, monitorRunResults.size());
+
+        Map<String, Object> docLevelQueryResults = ((List<Map<String, Object>>) ((Map<String, Object>) monitorRunResults.get(0).get("input_results")).get("results")).get(0);
+        int noOfSigmaRuleMatches = docLevelQueryResults.size();
+        assertEquals(1, noOfSigmaRuleMatches);
+
         Response updateResponse = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), toHttpEntity(randomDetectorWithInputsAndThreatIntel(List.of(input), true)));
 
         assertEquals("Update detector failed", RestStatus.OK, restStatus(updateResponse));
 
         Map<String, Object> updateResponseBody = asMap(updateResponse);
-        response = executeSearchAndGetResponse(DetectorMonitorConfig.getRuleIndex(randomDetectorType()), request, true);
-        assertEquals(1, response.getHits().getTotalHits().value); //threat intel based queries should not be present as threat intel is disabled.
-        i=1;
+        List<String> iocs = getThreatIntelFeedIocs(3);
+        int i=2;
         for (String ioc : iocs) {
             indexDoc(index, i+"", randomDocWithIpIoc(5, 3, ioc));
             i++;
@@ -1157,9 +1252,6 @@ public void testCreateDetectorWiththreatIntelEnabled_updateDetectorWithThreatInt
         docLevelQueryResults = ((List<Map<String, Object>>) ((Map<String, Object>) monitorRunResults.get(0).get("input_results")).get("results")).get(0);
         noOfSigmaRuleMatches = docLevelQueryResults.size();
         assertEquals(2, noOfSigmaRuleMatches);
-        threatIntelDocLevelQueryId = docLevelQueryResults.keySet().stream().filter(id -> id.contains(detector.getName() + "_threat_intel")).findAny().get();
-        docs = (ArrayList<String>) docLevelQueryResults.get(threatIntelDocLevelQueryId);
-        assertEquals(docs.size(), 1);
     }
 
     private List<String> getThreatIntelFeedIocs(int num) throws IOException {