From a79b8ac26b9524f835606896a9d1454dd8cba139 Mon Sep 17 00:00:00 2001
From: Surya Sashank Nistala <snistala@amazon.com>
Date: Mon, 16 Oct 2023 18:17:41 -0700
Subject: [PATCH] test udpate detector disabling threat intel

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
---
 .../transport/TransportIndexDetectorAction.java               | 1 +
 .../resthandler/DetectorMonitorRestApiIT.java                 | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
index 3eb0a5112..414591fe4 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -691,6 +691,7 @@ private void addThreatIntelBasedDocLevelQueries(Detector detector, List<DocLevel
         try {
 
             if (detector.getThreatIntelEnabled()) {
+                log.debug("threat intel enabled for detector {} . adding threat intel based doc level queries.", detector.getName());
                 List<LogType.IocFields> iocFieldsList = logTypeService.getIocFieldsList(detector.getDetectorType());
                 if (iocFieldsList == null || iocFieldsList.isEmpty()) {
 
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
index a4a38274f..0939a5520 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
@@ -1078,7 +1078,6 @@ public void testCreateDetectorWiththreatIntelEnabled_updateDetectorWithThreatInt
         DetectorInput input = new DetectorInput("windows detector for security analytics", List.of("windows"), detectorRules,
                 Collections.emptyList());
         Detector detector = randomDetectorWithInputsAndThreatIntel(List.of(input), true);
-
         Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector));
 
         String request = "{\n" +
@@ -1137,8 +1136,7 @@ public void testCreateDetectorWiththreatIntelEnabled_updateDetectorWithThreatInt
         ArrayList<String> docs = (ArrayList<String>) docLevelQueryResults.get(threatIntelDocLevelQueryId);
         assertEquals(docs.size(), 3);
 
-        detector.setThreatIntelEnabled(false);
-        Response updateResponse = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), toHttpEntity(detector));
+        Response updateResponse = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), toHttpEntity(randomDetectorWithInputsAndThreatIntel(List.of(input), true)));
 
         assertEquals("Update detector failed", RestStatus.OK, restStatus(updateResponse));