Fixed searchString bug. Removed nested IOC mapping structure. (#1239)

* Fixed searchString bug. Removed nested IOC mapping structure.

Signed-off-by: AWSHurneyt <[email protected]>

* Removed redundant operator set from query.

Signed-off-by: AWSHurneyt <[email protected]>

* Fixed scan service.

Signed-off-by: AWSHurneyt <[email protected]>

* Implemented integ test.

Signed-off-by: AWSHurneyt <[email protected]>

---------

Signed-off-by: AWSHurneyt <[email protected]>
(cherry picked from commit 6916f8c)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/service/SaIoCScanService.java

@@ -376,9 +376,9 @@ private static SearchRequest getSearchRequestForIocType(List<String> indices, St
         SearchRequest searchRequest = new SearchRequest(indices.toArray(new String[0]));
         BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();
         // add the iocs sublist
-        boolQueryBuilder.must(new TermsQueryBuilder(STIX2.VALUE_FIELD + ".keyword", iocsSublist));
+        boolQueryBuilder.must(new TermsQueryBuilder(STIX2.VALUE_FIELD, iocsSublist));
         // add ioc type filter
-        boolQueryBuilder.must(new TermsQueryBuilder(STIX2.TYPE_FIELD + ".keyword", iocType.toLowerCase(Locale.ROOT)));
+        boolQueryBuilder.must(new TermsQueryBuilder(STIX2.TYPE_FIELD, iocType.toLowerCase(Locale.ROOT)));
         searchRequest.source().query(boolQueryBuilder);
         return searchRequest;
     }

src/main/java/org/opensearch/securityanalytics/transport/TransportListIOCsAction.java

@@ -76,8 +76,6 @@
 public class TransportListIOCsAction extends HandledTransportAction<ListIOCsActionRequest, ListIOCsActionResponse> implements SecureTransportAction {
     private static final Logger log = LogManager.getLogger(TransportListIOCsAction.class);
 
-    public static final String STIX2_IOC_NESTED_PATH = "stix2_ioc.";
-
     private final ClusterService clusterService;
     private final TransportSearchTIFSourceConfigsAction transportSearchTIFSourceConfigsAction;
     private final DefaultTifSourceConfigLoaderService defaultTifSourceConfigLoaderService;
@@ -184,30 +182,18 @@ private void listIocs(List<String> iocIndices) {
             // If any of the 'type' options are 'ALL', do not apply 'type' filter
             if (request.getTypes() != null && request.getTypes().stream().noneMatch(type -> ListIOCsActionRequest.ALL_TYPES_FILTER.equalsIgnoreCase(type))) {
                 for (String type : request.getTypes()) {
-                    boolQueryBuilder.should(QueryBuilders.matchQuery(STIX2_IOC_NESTED_PATH + STIX2IOC.TYPE_FIELD, type));
+                    boolQueryBuilder.should(QueryBuilders.matchQuery(STIX2IOC.TYPE_FIELD, type));
                 }
                 boolQueryBuilder.must(typeQueryBuilder);
             }
 
             if (request.getTable().getSearchString() != null && !request.getTable().getSearchString().isEmpty()) {
-                boolQueryBuilder.must(
-                        QueryBuilders.queryStringQuery(request.getTable().getSearchString())
-                                .defaultOperator(Operator.OR)
-//                            .field(STIX2_IOC_NESTED_PATH + STIX2IOC.ID_FIELD) // Currently not a column in UX table
-                                .field(STIX2_IOC_NESTED_PATH + STIX2IOC.NAME_FIELD)
-                                .field(STIX2_IOC_NESTED_PATH + STIX2IOC.VALUE_FIELD)
-                                .field(STIX2_IOC_NESTED_PATH + STIX2IOC.SEVERITY_FIELD)
-                                .field(STIX2_IOC_NESTED_PATH + STIX2IOC.CREATED_FIELD)
-                                .field(STIX2_IOC_NESTED_PATH + STIX2IOC.MODIFIED_FIELD)
-//                            .field(STIX2_IOC_NESTED_PATH + STIX2IOC.DESCRIPTION_FIELD) // Currently not a column in UX table
-//                            .field(STIX2_IOC_NESTED_PATH + STIX2IOC.LABELS_FIELD) // Currently not a column in UX table
-//                            .field(STIX2_IOC_NESTED_PATH + STIX2IOC.SPEC_VERSION_FIELD) // Currently not a column in UX table
-                );
+                boolQueryBuilder.must(QueryBuilders.queryStringQuery(request.getTable().getSearchString()));
             }
 
 
             SortBuilder<FieldSortBuilder> sortBuilder = SortBuilders
-                    .fieldSort(STIX2_IOC_NESTED_PATH + request.getTable().getSortString())
+                    .fieldSort(request.getTable().getSortString())
                     .order(SortOrder.fromString(request.getTable().getSortOrder()));
 
             SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder()

src/main/resources/mappings/stix2_ioc_mapping.json

@@ -3,42 +3,38 @@
     "schema_version": 1
   },
   "properties": {
-    "stix2_ioc": {
-      "properties": {
-        "name": {
-          "type": "keyword"
-        },
-        "type": {
-          "type": "keyword"
-        },
-        "value": {
-          "type": "keyword"
-        },
-        "severity": {
-          "type": "keyword"
-        },
-        "spec_version": {
-          "type": "keyword"
-        },
-        "created": {
-          "type": "date"
-        },
-        "modified": {
-          "type": "date"
-        },
-        "description": {
-          "type": "text"
-        },
-        "labels": {
-          "type": "keyword"
-        },
-        "feed_id": {
-          "type": "keyword"
-        },
-        "feed_name": {
-          "type": "keyword"
-        }
-      }
+    "name": {
+      "type": "keyword"
+    },
+    "type": {
+      "type": "keyword"
+    },
+    "value": {
+      "type": "keyword"
+    },
+    "severity": {
+      "type": "keyword"
+    },
+    "spec_version": {
+      "type": "keyword"
+    },
+    "created": {
+      "type": "date"
+    },
+    "modified": {
+      "type": "date"
+    },
+    "description": {
+      "type": "text"
+    },
+    "labels": {
+      "type": "keyword"
+    },
+    "feed_id": {
+      "type": "keyword"
+    },
+    "feed_name": {
+      "type": "keyword"
     }
   }
 }