From a6a159cc1a6f9fc46b9aaaf3a749545134f86e19 Mon Sep 17 00:00:00 2001
From: "opensearch-trigger-bot[bot]"
 <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Date: Tue, 9 Jul 2024 10:25:27 -0700
Subject: [PATCH] throw error when no iocs are stored due to incompatible ioc
 types from S3 downloaded iocs file (#1129) (#1148)

(cherry picked from commit 5d3dbca62b8cf36a19fc585b8caa3e29c8319703)

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../securityanalytics/services/STIX2IOCConsumer.java      | 8 +++++++-
 .../service/SATIFSourceConfigManagementService.java       | 3 +--
 .../transport/TransportGetIocFindingsAction.java          | 4 +++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java b/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java
index 8d53d7ed8..44d3e169e 100644
--- a/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java
+++ b/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java
@@ -7,6 +7,8 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchStatusException;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.commons.model.IOC;
 import org.opensearch.securityanalytics.commons.model.STIX2;
 import org.opensearch.securityanalytics.commons.model.UpdateAction;
@@ -43,6 +45,10 @@ public void accept(final STIX2 ioc) {
         // TODO hurneyt refactor once the enum values are updated
         // If the IOC received is not a type listed for the config, do not add it to the queue
         if (!feedStore.getSaTifSourceConfig().getIocTypes().contains(stix2IOC.getType().name())) {
+            log.error("{} is not a supported Ioc type for tif source config {}. Skipping IOC {}: of type {} value {}",
+                    stix2IOC.getType().name(), feedStore.getSaTifSourceConfig().getId(),
+                    stix2IOC.getId(), stix2IOC.getType(), stix2IOC.getValue()
+            );
             return;
         }
 
@@ -56,7 +62,7 @@ public void accept(final STIX2 ioc) {
 
     public void flushIOCs() {
         if (queue.isEmpty()) {
-            return;
+            throw new OpenSearchStatusException("No compatible Iocs were downloaded for config " + feedStore.getSaTifSourceConfig().getName(), RestStatus.BAD_REQUEST);
         }
 
         final List<STIX2IOC> iocsToFlush = new ArrayList<>(queue.size());
diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java
index a5bf23386..fd164224d 100644
--- a/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java
+++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java
@@ -164,13 +164,12 @@ public void createIocAndTIFSourceConfig(
                                                     saTifSourceConfigService.deleteTIFSourceConfig(indexSaTifSourceConfigResponse, ActionListener.wrap(
                                                             deleteResponse -> {
                                                                 log.debug("Successfully deleted threat intel source config [{}]", indexSaTifSourceConfigResponse.getId());
-                                                                listener.onFailure(new OpenSearchException("Successfully deleted threat intel source config [{}]", indexSaTifSourceConfigResponse.getId()));
+                                                                listener.onFailure(e);
                                                             }, ex -> {
                                                                 log.error("Failed to delete threat intel source config [{}]", indexSaTifSourceConfigResponse.getId());
                                                                 listener.onFailure(ex);
                                                             }
                                                     ));
-                                                    listener.onFailure(e);
                                                 })
                                 );
                             }, e -> {
diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java
index 2123ffc80..c6ab88435 100644
--- a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java
@@ -110,7 +110,9 @@ protected void doExecute(Task task, GetIocFindingsRequest request, ActionListene
         List<String> findingIds = request.getFindingIds();
 
         if (findingIds != null && !findingIds.isEmpty()) {
-            queryBuilder.filter(QueryBuilders.termsQuery("id", findingIds));
+            BoolQueryBuilder findingIdsFilter = QueryBuilders.boolQuery();
+            findingIds.forEach(it -> findingIdsFilter.should(QueryBuilders.matchQuery("_id", it)));
+            queryBuilder.filter(findingIdsFilter);
         }
 
         List<String> iocIds = request.getIocIds();