fixed threat intel based tests

Signed-off-by: Surya Sashank Nistala <[email protected]>

src/main/java/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.java

@@ -58,7 +58,7 @@ public List<DocLevelQuery> createDocLevelQueriesFromThreatIntelList(
                 queries.add(new DocLevelQuery(
                         constructId(detector, entry.getKey()), tifdList.get(0).getFeedId(),
                         Collections.emptyList(),
-                        "windows-hostname:(120.85.114.146 OR 103.104.106.223 OR 185.191.246.45 OR 120.86.237.94)",
+                        String.format(query, field),
                         List.of("threat_intel", entry.getKey() /*ioc_type*/)
                 ));
             }

src/main/resources/OSMapping/test_windows_logtype.json

@@ -5,7 +5,7 @@
   "ioc_fields": [
     {
       "ioc": "ip",
-      "fields": ["HostName"]
+      "fields": ["windows-hostname"]
     }
   ],
   "mappings": [

src/test/java/org/opensearch/securityanalytics/TestHelpers.java

@@ -1397,7 +1397,7 @@ public static String randomDocWithIpIoc(int severity,  int version, String ioc)
                 "\"AccountType\":\"User\",\n" +
                 "\"Message\":\"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-04 14:59:38.349\\r\\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\\r\\nProcessId: 1904\\r\\nQueryName: EC2AMAZ-EPO7HKA\\r\\nQueryStatus: 0\\r\\nQueryResults: 172.31.46.38;\\r\\nImage: C:\\\\Program Files\\\\nxlog\\\\nxlog.exe\",\n" +
                 "\"Category\":\"Dns query (rule: DnsQuery)\",\n" +
-                "\"Opcode\":\"%blahblah\",\n" +
+                "\"Opcode\":\"blahblah\",\n" +
                 "\"UtcTime\":\"2020-02-04 14:59:38.349\",\n" +
                 "\"ProcessGuid\":\"{b3c285a4-3cda-5dc0-0000-001077270b00}\",\n" +
                 "\"ProcessId\":\"1904\",\"QueryName\":\"EC2AMAZ-EPO7HKA\",\"QueryStatus\":\"0\",\n" +
@@ -1409,7 +1409,7 @@ public static String randomDocWithIpIoc(int severity,  int version, String ioc)
                 "\"CommandLine\": \"eachtest\",\n" +
                 "\"Initiated\": \"true\"\n" +
                 "}";
-        return String.format(Locale.ROOT, ioc, doc, severity, version);
+        return String.format(Locale.ROOT, doc, ioc, severity, version);
 
     }
 

src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java

@@ -39,6 +39,7 @@
 import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndThreatIntel;
 import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndTriggers;
 import static org.opensearch.securityanalytics.TestHelpers.randomDoc;
+import static org.opensearch.securityanalytics.TestHelpers.randomDocWithIpIoc;
 import static org.opensearch.securityanalytics.TestHelpers.randomIndex;
 import static org.opensearch.securityanalytics.TestHelpers.randomRule;
 import static org.opensearch.securityanalytics.TestHelpers.windowsIndexMapping;
@@ -1119,7 +1120,7 @@ public void testCreateDetector_threatIntelEnabled_updateDetectorWithNewThreatInt
         List<String> iocs = getThreatIntelFeedIocs(3);
         int i=1;
         for (String ioc : iocs) {
-            indexDoc(index, i+"", randomDoc(5, 3, i==1? "120.85.114.146" : "120.86.237.94"));
+            indexDoc(index, i+"", randomDocWithIpIoc(5, 3, ioc));
             i++;
         }
         String workflowId = ((List<String>) detectorMap.get("workflow_ids")).get(0);
@@ -1134,7 +1135,7 @@ public void testCreateDetector_threatIntelEnabled_updateDetectorWithNewThreatInt
         assertEquals(2, noOfSigmaRuleMatches);
         String threatIntelDocLevelQueryId = docLevelQueryResults.keySet().stream().filter(id -> id.contains(detector.getName() + "_threat_intel")).findAny().get();
         ArrayList<String> docs = (ArrayList<String>) docLevelQueryResults.get(threatIntelDocLevelQueryId);
-        assertEquals(docs.size(), 2);
+        assertEquals(docs.size(), 3);
 //
 //        Response updateResponse = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), toHttpEntity(detector));
 //