diff --git a/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java b/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java index 8d53d7ed8..44d3e169e 100644 --- a/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java +++ b/src/main/java/org/opensearch/securityanalytics/services/STIX2IOCConsumer.java @@ -7,6 +7,8 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.opensearch.OpenSearchStatusException; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.commons.model.IOC; import org.opensearch.securityanalytics.commons.model.STIX2; import org.opensearch.securityanalytics.commons.model.UpdateAction; @@ -43,6 +45,10 @@ public void accept(final STIX2 ioc) { // TODO hurneyt refactor once the enum values are updated // If the IOC received is not a type listed for the config, do not add it to the queue if (!feedStore.getSaTifSourceConfig().getIocTypes().contains(stix2IOC.getType().name())) { + log.error("{} is not a supported Ioc type for tif source config {}. Skipping IOC {}: of type {} value {}", + stix2IOC.getType().name(), feedStore.getSaTifSourceConfig().getId(), + stix2IOC.getId(), stix2IOC.getType(), stix2IOC.getValue() + ); return; } @@ -56,7 +62,7 @@ public void accept(final STIX2 ioc) { public void flushIOCs() { if (queue.isEmpty()) { - return; + throw new OpenSearchStatusException("No compatible Iocs were downloaded for config " + feedStore.getSaTifSourceConfig().getName(), RestStatus.BAD_REQUEST); } final List iocsToFlush = new ArrayList<>(queue.size()); diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java index a5bf23386..fd164224d 100644 --- a/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java +++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/service/SATIFSourceConfigManagementService.java @@ -164,13 +164,12 @@ public void createIocAndTIFSourceConfig( saTifSourceConfigService.deleteTIFSourceConfig(indexSaTifSourceConfigResponse, ActionListener.wrap( deleteResponse -> { log.debug("Successfully deleted threat intel source config [{}]", indexSaTifSourceConfigResponse.getId()); - listener.onFailure(new OpenSearchException("Successfully deleted threat intel source config [{}]", indexSaTifSourceConfigResponse.getId())); + listener.onFailure(e); }, ex -> { log.error("Failed to delete threat intel source config [{}]", indexSaTifSourceConfigResponse.getId()); listener.onFailure(ex); } )); - listener.onFailure(e); }) ); }, e -> { diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java index 2123ffc80..c6ab88435 100644 --- a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java @@ -110,7 +110,9 @@ protected void doExecute(Task task, GetIocFindingsRequest request, ActionListene List findingIds = request.getFindingIds(); if (findingIds != null && !findingIds.isEmpty()) { - queryBuilder.filter(QueryBuilders.termsQuery("id", findingIds)); + BoolQueryBuilder findingIdsFilter = QueryBuilders.boolQuery(); + findingIds.forEach(it -> findingIdsFilter.should(QueryBuilders.matchQuery("_id", it))); + queryBuilder.filter(findingIdsFilter); } List iocIds = request.getIocIds();