From 3367c703cd01be1c9cb7e9ee65fca03b453d1d35 Mon Sep 17 00:00:00 2001
From: Krishna Awasthi <140143710+opbot-xd@users.noreply.github.com>
Date: Tue, 16 Dec 2025 18:26:41 +0530
Subject: [PATCH 1/2] Add IOC type filter to Feeds API and page. Closes #551
 (#610)

* feat: add IOC type filter to Feeds API and page

* fix: wrap Prioritize field in Col component to fix JSX syntax error

* test: add frontend tests for IOC type filter

* Fix test_valid_fields by adding missing required ioc_type field

* Fix failing tests and bugs: Update assertions, fix feeds filtering, improve validation

* refactor: adjust form column widths and consolidate form groups in the Feeds component.
---
 api/serializers.py                            |   5 +-
 api/views/feeds.py                            |   4 +-
 api/views/utils.py                            |   5 +
 frontend/src/components/feeds/Feeds.jsx       |  35 +++++-
 .../tests/components/feeds/Feeds.test.jsx     |  16 ++-
 tests/__init__.py                             |  24 ++++
 tests/test_serializers.py                     |   1 +
 tests/test_views.py                           | 119 +++++++++++++-----
 8 files changed, 168 insertions(+), 41 deletions(-)

diff --git a/api/serializers.py b/api/serializers.py
index 917a0f44..8be204e7 100644
--- a/api/serializers.py
+++ b/api/serializers.py
@@ -38,7 +38,9 @@ def validate(self, data):
         Check a given observable against regex expression
         """
         observable = data["query"]
-        if not re.match(REGEX_IP, observable) or not re.match(REGEX_DOMAIN, observable):
+        if re.match(r"^[\d\.]+$", observable) and not re.match(REGEX_IP, observable):
+            raise serializers.ValidationError("Observable is not a valid IP")
+        if not re.match(REGEX_IP, observable) and not re.match(REGEX_DOMAIN, observable):
             raise serializers.ValidationError("Observable is not a valid IP or domain")
         try:
             required_object = IOC.objects.get(name=observable)
@@ -95,6 +97,7 @@ def ordering_validation(ordering: str) -> str:
 class FeedsRequestSerializer(serializers.Serializer):
     feed_type = serializers.CharField(max_length=120)
     attack_type = serializers.ChoiceField(choices=["scanner", "payload_request", "all"])
+    ioc_type = serializers.ChoiceField(choices=["ip", "domain", "all"])
     max_age = serializers.IntegerField(min_value=1)
     min_days_seen = serializers.IntegerField(min_value=1)
     include_reputation = serializers.ListField(child=serializers.CharField(max_length=120))
diff --git a/api/views/feeds.py b/api/views/feeds.py
index 5e309d11..1e953e26 100644
--- a/api/views/feeds.py
+++ b/api/views/feeds.py
@@ -33,7 +33,9 @@ def feeds(request, feed_type, attack_type, prioritize, format_):
     """
     logger.info(f"request /api/feeds with params: feed type: {feed_type}, " f"attack_type: {attack_type}, prioritization: {prioritize}, format: {format_}")
 
-    feed_params = FeedRequestParams({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
+    feed_params_data = request.query_params.dict()
+    feed_params_data.update({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
+    feed_params = FeedRequestParams(feed_params_data)
     feed_params.apply_default_filters(request.query_params)
     feed_params.set_prioritization(prioritize)
 
diff --git a/api/views/utils.py b/api/views/utils.py
index 39c2ae1c..f3968740 100644
--- a/api/views/utils.py
+++ b/api/views/utils.py
@@ -46,6 +46,7 @@ class FeedRequestParams:
     Attributes:
         feed_type (str): Type of feed to retrieve (default: "all")
         attack_type (str): Type of attack to filter (default: "all")
+        ioc_type (str): Type of IOC to filter - 'ip', 'domain', or 'all' (default: "all")
         max_age (str): Maximum number of days since last occurrence (default: "3")
         min_days_seen (str): Minimum number of days on which an IOC must have been seen (default: "1")
         include_reputation (list): List of reputation values to include (default: [])
@@ -65,6 +66,7 @@ def __init__(self, query_params: dict):
         """
         self.feed_type = query_params.get("feed_type", "all").lower()
         self.attack_type = query_params.get("attack_type", "all").lower()
+        self.ioc_type = query_params.get("ioc_type", "all").lower()
         self.max_age = query_params.get("max_age", "3")
         self.min_days_seen = query_params.get("min_days_seen", "1")
         self.include_reputation = query_params["include_reputation"].split(";") if "include_reputation" in query_params else []
@@ -154,6 +156,9 @@ def get_queryset(request, feed_params, valid_feed_types):
     if feed_params.attack_type != "all":
         query_dict[feed_params.attack_type] = True
 
+    if feed_params.ioc_type != "all":
+        query_dict["type"] = feed_params.ioc_type
+
     query_dict["last_seen__gte"] = datetime.now() - timedelta(days=int(feed_params.max_age))
     if int(feed_params.min_days_seen) > 1:
         query_dict["number_of_days_seen__gte"] = int(feed_params.min_days_seen)
diff --git a/frontend/src/components/feeds/Feeds.jsx b/frontend/src/components/feeds/Feeds.jsx
index 314d3b3c..6b03bfe7 100644
--- a/frontend/src/components/feeds/Feeds.jsx
+++ b/frontend/src/components/feeds/Feeds.jsx
@@ -26,6 +26,12 @@ const attackTypeChoices = [
   { label: "Payload request", value: "payload_request" },
 ];
 
+const iocTypeChoices = [
+  { label: "All", value: "all" },
+  { label: "IP addresses", value: "ip" },
+  { label: "Domains", value: "domain" },
+];
+
 const prioritizationChoices = [
   { label: "Recent", value: "recent" },
   { label: "Persistent", value: "persistent" },
@@ -36,6 +42,7 @@ const prioritizationChoices = [
 const initialValues = {
   feeds_type: "all",
   attack_type: "all",
+  ioc_type: "all",
   prioritize: "recent",
 };
 
@@ -87,6 +94,7 @@ export default function Feeds() {
       params: {
         feed_type: initialValues.feeds_type,
         attack_type: initialValues.attack_type,
+        ioc_type: initialValues.ioc_type,
         prioritize: initialValues.prioritize,
       },
       initialParams: {
@@ -102,10 +110,11 @@ export default function Feeds() {
     (values) => {
       try {
         setUrl(
-          `${FEEDS_BASE_URI}/${values.feeds_type}/${values.attack_type}/${values.prioritize}.json`
+          `${FEEDS_BASE_URI}/${values.feeds_type}/${values.attack_type}/${values.prioritize}.json?ioc_type=${values.ioc_type}`
         );
         initialValues.feeds_type = values.feeds_type;
         initialValues.attack_type = values.attack_type;
+        initialValues.ioc_type = values.ioc_type;
         initialValues.prioritize = values.prioritize;
 
         const resetPage = {
@@ -148,7 +157,7 @@ export default function Feeds() {
                   {(formik) => (
                     <Form>
                       <FormGroup row>
-                        <Col sm={12} md={4}>
+                        <Col sm={12} md={3}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__feeds_type"
@@ -166,7 +175,7 @@ export default function Feeds() {
                             }}
                           />
                         </Col>
-                        <Col sm={12} md={4}>
+                        <Col sm={12} md={3}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__attack_type"
@@ -184,7 +193,25 @@ export default function Feeds() {
                             }}
                           />
                         </Col>
-                        <Col sm={12} md={4}>
+                        <Col sm={12} md={3}>
+                          <Label
+                            className="form-control-label"
+                            htmlFor="Feeds__ioc_type"
+                          >
+                            IOC type:
+                          </Label>
+                          <Select
+                            id="Feeds__ioc_type"
+                            name="ioc_type"
+                            value={initialValues.ioc_type}
+                            choices={iocTypeChoices}
+                            onChange={(e) => {
+                              formik.handleChange(e);
+                              formik.submitForm();
+                            }}
+                          />
+                        </Col>
+                        <Col sm={12} md={3}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__prioritize"
diff --git a/frontend/tests/components/feeds/Feeds.test.jsx b/frontend/tests/components/feeds/Feeds.test.jsx
index f51d4662..38a4ea80 100644
--- a/frontend/tests/components/feeds/Feeds.test.jsx
+++ b/frontend/tests/components/feeds/Feeds.test.jsx
@@ -72,6 +72,8 @@ describe("Feeds component", () => {
     expect(feedTypeSelectElement).toBeInTheDocument();
     const attackTypeSelectElement = screen.getByLabelText("Attack type:");
     expect(attackTypeSelectElement).toBeInTheDocument();
+    const iocTypeSelectElement = screen.getByLabelText("IOC type:");
+    expect(iocTypeSelectElement).toBeInTheDocument();
     const prioritizationSelectElement = screen.getByLabelText("Prioritize:");
     expect(prioritizationSelectElement).toBeInTheDocument();
 
@@ -83,13 +85,23 @@ describe("Feeds component", () => {
 
     await user.selectOptions(feedTypeSelectElement, "log4j");
     await user.selectOptions(attackTypeSelectElement, "scanner");
+    await user.selectOptions(iocTypeSelectElement, "ip");
     await user.selectOptions(prioritizationSelectElement, "persistent");
 
     await waitFor(() => {
-      // check link has been changed
+      // check link has been changed including ioc_type parameter
       expect(buttonRawData).toHaveAttribute(
         "href",
-        "/api/feeds/log4j/scanner/persistent.json"
+        "/api/feeds/log4j/scanner/persistent.json?ioc_type=ip"
+      );
+    });
+
+    // Test selecting domain IOC type
+    await user.selectOptions(iocTypeSelectElement, "domain");
+    await waitFor(() => {
+      expect(buttonRawData).toHaveAttribute(
+        "href",
+        "/api/feeds/log4j/scanner/persistent.json?ioc_type=domain"
       );
     });
   });
diff --git a/tests/__init__.py b/tests/__init__.py
index 31329e0d..e7a23e29 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -81,12 +81,36 @@ def setUpTestData(cls):
             expected_interactions=11.1,
         )
 
+        cls.ioc_domain = IOC.objects.create(
+            name="malicious.example.com",
+            type=iocType.DOMAIN.value,
+            first_seen=cls.current_time,
+            last_seen=cls.current_time,
+            days_seen=[cls.current_time],
+            number_of_days_seen=1,
+            attack_count=1,
+            interaction_count=1,
+            log4j=True,
+            cowrie=False,
+            scanner=False,
+            payload_request=True,
+            related_urls=[],
+            ip_reputation="",
+            asn=None,
+            destination_ports=[],
+            login_attempts=0,
+            recurrence_probability=0.2,
+            expected_interactions=5.5,
+        )
+
         cls.ioc.general_honeypot.add(cls.heralding)  # FEEDS
         cls.ioc.general_honeypot.add(cls.ciscoasa)  # FEEDS
         cls.ioc.save()
         cls.ioc_2.general_honeypot.add(cls.heralding)  # FEEDS
         cls.ioc_2.general_honeypot.add(cls.ciscoasa)  # FEEDS
         cls.ioc_2.save()
+        cls.ioc_domain.general_honeypot.add(cls.heralding)  # FEEDS
+        cls.ioc_domain.save()
 
         cls.cmd_seq = ["cd foo", "ls -la"]
         cls.hash = sha256("\n".join(cls.cmd_seq).encode()).hexdigest()
diff --git a/tests/test_serializers.py b/tests/test_serializers.py
index fb56cfee..f78ebc0f 100644
--- a/tests/test_serializers.py
+++ b/tests/test_serializers.py
@@ -25,6 +25,7 @@ def test_valid_fields(self):
         choices = {
             "feed_type": ["all", "log4j", "cowrie", "adbhoney"],
             "attack_type": ["all", "scanner", "payload_request"],
+            "ioc_type": ["ip", "domain", "all"],
             "max_age": [str(n) for n in [1, 2, 4, 8, 16]],
             "min_days_seen": [str(n) for n in [1, 2, 4, 8, 16]],
             "include_reputation": [[], ["known attacker"], ["known attacker", "mass scanner"]],
diff --git a/tests/test_views.py b/tests/test_views.py
index e6d9c587..21672157 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -61,29 +61,40 @@ def test_200_all_feeds(self):
         response = self.client.get("/api/feeds/all/all/recent.json")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
-        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
-        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
-        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
+
+        iocs = response.json()["iocs"]
+        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
+        self.assertIsNotNone(target_ioc)
+
+        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(target_ioc["attack_count"], 1)
+        self.assertEqual(target_ioc["scanner"], True)
+        self.assertEqual(target_ioc["payload_request"], True)
+        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_general_feeds(self):
         response = self.client.get("/api/feeds/heralding/all/recent.json")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
-        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
-        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
-        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
+
+        iocs = response.json()["iocs"]
+        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
+        self.assertIsNotNone(target_ioc)
+
+        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(target_ioc["attack_count"], 1)
+        self.assertEqual(target_ioc["scanner"], True)
+        self.assertEqual(target_ioc["payload_request"], True)
+        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_feeds_scanner_inclusion(self):
         response = self.client.get("/api/feeds/heralding/all/recent.json?include_mass_scanners")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        self.assertEqual(len(response.json()["iocs"]), 2)
+        # Expecting 3 because setupTestData creates 3 IOCs (ioc, ioc_2, ioc_domain) associated with Heralding
+        self.assertEqual(len(response.json()["iocs"]), 3)
 
     def test_400_feeds(self):
         response = self.client.get("/api/feeds/test/all/recent.json")
@@ -92,24 +103,55 @@ def test_400_feeds(self):
     def test_200_feeds_pagination(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 1)
+        self.assertEqual(response.json()["count"], 2)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_inclusion_mass(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_mass_scanners")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 2)
+        self.assertEqual(response.json()["count"], 3)
 
     def test_200_feeds_pagination_inclusion_tor(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_tor_exit_nodes")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 2)
+        self.assertEqual(response.json()["count"], 3)
 
     def test_200_feeds_pagination_inclusion_mass_and_tor(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_mass_scanners&include_tor_exit_nodes")
         self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["count"], 4)
+
+    def test_200_feeds_filter_ip_only(self):
+        response = self.client.get("/api/feeds/all/all/recent.json?ioc_type=ip")
+        self.assertEqual(response.status_code, 200)
+        # Should only return IP addresses, not domains
+        for ioc in response.json()["iocs"]:
+            # Verify all returned values are IPs (contain dots and numbers pattern)
+            self.assertRegex(ioc["value"], r"^\d+\.\d+\.\d+\.\d+$")
+
+    def test_200_feeds_filter_domain_only(self):
+        response = self.client.get("/api/feeds/all/all/recent.json?ioc_type=domain")
+        self.assertEqual(response.status_code, 200)
+        # Should only return domains, not IPs
+        self.assertGreater(len(response.json()["iocs"]), 0)
+        for ioc in response.json()["iocs"]:
+            # Verify all returned values are domains (contain alphabetic characters)
+            self.assertRegex(ioc["value"], r"[a-zA-Z]")
+
+    def test_200_feeds_pagination_filter_ip(self):
+        response = self.client.get(
+            "/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&ioc_type=ip&include_mass_scanners&include_tor_exit_nodes"
+        )
+        self.assertEqual(response.status_code, 200)
+        # Should return only IPs (3 in test data)
         self.assertEqual(response.json()["count"], 3)
 
+    def test_200_feeds_pagination_filter_domain(self):
+        response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&ioc_type=domain")
+        self.assertEqual(response.status_code, 200)
+        # Should return only domains (1 in test data)
+        self.assertEqual(response.json()["count"], 1)
+
     def test_400_feeds_pagination(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=test&age=recent")
         self.assertEqual(response.status_code, 400)
@@ -124,23 +166,33 @@ def test_200_all_feeds(self):
         response = self.client.get("/api/feeds/advanced/")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
-        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
-        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
-        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
+
+        iocs = response.json()["iocs"]
+        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
+        self.assertIsNotNone(target_ioc)
+
+        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(target_ioc["attack_count"], 1)
+        self.assertEqual(target_ioc["scanner"], True)
+        self.assertEqual(target_ioc["payload_request"], True)
+        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_general_feeds(self):
         response = self.client.get("/api/feeds/advanced/?feed_type=heralding")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
-        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
-        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
-        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
+
+        iocs = response.json()["iocs"]
+        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
+        self.assertIsNotNone(target_ioc)
+
+        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(target_ioc["attack_count"], 1)
+        self.assertEqual(target_ioc["scanner"], True)
+        self.assertEqual(target_ioc["payload_request"], True)
+        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
 
     def test_400_feeds(self):
         response = self.client.get("/api/feeds/advanced/?attack_type=test")
@@ -149,7 +201,7 @@ def test_400_feeds(self):
     def test_200_feeds_pagination(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 3)
+        self.assertEqual(response.json()["count"], 4)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_include(self):
@@ -161,13 +213,13 @@ def test_200_feeds_pagination_include(self):
     def test_200_feeds_pagination_exclude_mass(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1&exclude_reputation=mass%20scanner")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 2)
+        self.assertEqual(response.json()["count"], 3)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_exclude_tor(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1&exclude_reputation=tor%20exit%20node")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 2)
+        self.assertEqual(response.json()["count"], 3)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_400_feeds_pagination(self):
@@ -216,9 +268,10 @@ def test_200_feed_types(self):
 
         response = self.client.get("/api/statistics/feeds_types")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()[0]["Heralding"], 2)
+        # Expecting 3 because setupTestData creates 3 IOCs (ioc, ioc_2, ioc_domain) associated with Heralding
+        self.assertEqual(response.json()[0]["Heralding"], 3)
         self.assertEqual(response.json()[0]["Ciscoasa"], 2)
-        self.assertEqual(response.json()[0]["Log4j"], 2)
+        self.assertEqual(response.json()[0]["Log4j"], 3)
         self.assertEqual(response.json()[0]["Cowrie"], 3)
         self.assertEqual(response.json()[0]["Tanner"], 0)
 

From 5ad7792b5be84cd746eee61f54355b3e4a769890 Mon Sep 17 00:00:00 2001
From: tim <46972822+regulartim@users.noreply.github.com>
Date: Tue, 16 Dec 2025 14:08:00 +0100
Subject: [PATCH 2/2] Revert "Add IOC type filter to Feeds API and page. Closes
 #551 (#610)" (#615)

This reverts commit 3367c703cd01be1c9cb7e9ee65fca03b453d1d35.
---
 api/serializers.py                            |   5 +-
 api/views/feeds.py                            |   4 +-
 api/views/utils.py                            |   5 -
 frontend/src/components/feeds/Feeds.jsx       |  35 +-----
 .../tests/components/feeds/Feeds.test.jsx     |  16 +--
 tests/__init__.py                             |  24 ----
 tests/test_serializers.py                     |   1 -
 tests/test_views.py                           | 119 +++++-------------
 8 files changed, 41 insertions(+), 168 deletions(-)

diff --git a/api/serializers.py b/api/serializers.py
index 8be204e7..917a0f44 100644
--- a/api/serializers.py
+++ b/api/serializers.py
@@ -38,9 +38,7 @@ def validate(self, data):
         Check a given observable against regex expression
         """
         observable = data["query"]
-        if re.match(r"^[\d\.]+$", observable) and not re.match(REGEX_IP, observable):
-            raise serializers.ValidationError("Observable is not a valid IP")
-        if not re.match(REGEX_IP, observable) and not re.match(REGEX_DOMAIN, observable):
+        if not re.match(REGEX_IP, observable) or not re.match(REGEX_DOMAIN, observable):
             raise serializers.ValidationError("Observable is not a valid IP or domain")
         try:
             required_object = IOC.objects.get(name=observable)
@@ -97,7 +95,6 @@ def ordering_validation(ordering: str) -> str:
 class FeedsRequestSerializer(serializers.Serializer):
     feed_type = serializers.CharField(max_length=120)
     attack_type = serializers.ChoiceField(choices=["scanner", "payload_request", "all"])
-    ioc_type = serializers.ChoiceField(choices=["ip", "domain", "all"])
     max_age = serializers.IntegerField(min_value=1)
     min_days_seen = serializers.IntegerField(min_value=1)
     include_reputation = serializers.ListField(child=serializers.CharField(max_length=120))
diff --git a/api/views/feeds.py b/api/views/feeds.py
index 1e953e26..5e309d11 100644
--- a/api/views/feeds.py
+++ b/api/views/feeds.py
@@ -33,9 +33,7 @@ def feeds(request, feed_type, attack_type, prioritize, format_):
     """
     logger.info(f"request /api/feeds with params: feed type: {feed_type}, " f"attack_type: {attack_type}, prioritization: {prioritize}, format: {format_}")
 
-    feed_params_data = request.query_params.dict()
-    feed_params_data.update({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
-    feed_params = FeedRequestParams(feed_params_data)
+    feed_params = FeedRequestParams({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
     feed_params.apply_default_filters(request.query_params)
     feed_params.set_prioritization(prioritize)
 
diff --git a/api/views/utils.py b/api/views/utils.py
index f3968740..39c2ae1c 100644
--- a/api/views/utils.py
+++ b/api/views/utils.py
@@ -46,7 +46,6 @@ class FeedRequestParams:
     Attributes:
         feed_type (str): Type of feed to retrieve (default: "all")
         attack_type (str): Type of attack to filter (default: "all")
-        ioc_type (str): Type of IOC to filter - 'ip', 'domain', or 'all' (default: "all")
         max_age (str): Maximum number of days since last occurrence (default: "3")
         min_days_seen (str): Minimum number of days on which an IOC must have been seen (default: "1")
         include_reputation (list): List of reputation values to include (default: [])
@@ -66,7 +65,6 @@ def __init__(self, query_params: dict):
         """
         self.feed_type = query_params.get("feed_type", "all").lower()
         self.attack_type = query_params.get("attack_type", "all").lower()
-        self.ioc_type = query_params.get("ioc_type", "all").lower()
         self.max_age = query_params.get("max_age", "3")
         self.min_days_seen = query_params.get("min_days_seen", "1")
         self.include_reputation = query_params["include_reputation"].split(";") if "include_reputation" in query_params else []
@@ -156,9 +154,6 @@ def get_queryset(request, feed_params, valid_feed_types):
     if feed_params.attack_type != "all":
         query_dict[feed_params.attack_type] = True
 
-    if feed_params.ioc_type != "all":
-        query_dict["type"] = feed_params.ioc_type
-
     query_dict["last_seen__gte"] = datetime.now() - timedelta(days=int(feed_params.max_age))
     if int(feed_params.min_days_seen) > 1:
         query_dict["number_of_days_seen__gte"] = int(feed_params.min_days_seen)
diff --git a/frontend/src/components/feeds/Feeds.jsx b/frontend/src/components/feeds/Feeds.jsx
index 6b03bfe7..314d3b3c 100644
--- a/frontend/src/components/feeds/Feeds.jsx
+++ b/frontend/src/components/feeds/Feeds.jsx
@@ -26,12 +26,6 @@ const attackTypeChoices = [
   { label: "Payload request", value: "payload_request" },
 ];
 
-const iocTypeChoices = [
-  { label: "All", value: "all" },
-  { label: "IP addresses", value: "ip" },
-  { label: "Domains", value: "domain" },
-];
-
 const prioritizationChoices = [
   { label: "Recent", value: "recent" },
   { label: "Persistent", value: "persistent" },
@@ -42,7 +36,6 @@ const prioritizationChoices = [
 const initialValues = {
   feeds_type: "all",
   attack_type: "all",
-  ioc_type: "all",
   prioritize: "recent",
 };
 
@@ -94,7 +87,6 @@ export default function Feeds() {
       params: {
         feed_type: initialValues.feeds_type,
         attack_type: initialValues.attack_type,
-        ioc_type: initialValues.ioc_type,
         prioritize: initialValues.prioritize,
       },
       initialParams: {
@@ -110,11 +102,10 @@ export default function Feeds() {
     (values) => {
       try {
         setUrl(
-          `${FEEDS_BASE_URI}/${values.feeds_type}/${values.attack_type}/${values.prioritize}.json?ioc_type=${values.ioc_type}`
+          `${FEEDS_BASE_URI}/${values.feeds_type}/${values.attack_type}/${values.prioritize}.json`
         );
         initialValues.feeds_type = values.feeds_type;
         initialValues.attack_type = values.attack_type;
-        initialValues.ioc_type = values.ioc_type;
         initialValues.prioritize = values.prioritize;
 
         const resetPage = {
@@ -157,7 +148,7 @@ export default function Feeds() {
                   {(formik) => (
                     <Form>
                       <FormGroup row>
-                        <Col sm={12} md={3}>
+                        <Col sm={12} md={4}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__feeds_type"
@@ -175,7 +166,7 @@ export default function Feeds() {
                             }}
                           />
                         </Col>
-                        <Col sm={12} md={3}>
+                        <Col sm={12} md={4}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__attack_type"
@@ -193,25 +184,7 @@ export default function Feeds() {
                             }}
                           />
                         </Col>
-                        <Col sm={12} md={3}>
-                          <Label
-                            className="form-control-label"
-                            htmlFor="Feeds__ioc_type"
-                          >
-                            IOC type:
-                          </Label>
-                          <Select
-                            id="Feeds__ioc_type"
-                            name="ioc_type"
-                            value={initialValues.ioc_type}
-                            choices={iocTypeChoices}
-                            onChange={(e) => {
-                              formik.handleChange(e);
-                              formik.submitForm();
-                            }}
-                          />
-                        </Col>
-                        <Col sm={12} md={3}>
+                        <Col sm={12} md={4}>
                           <Label
                             className="form-control-label"
                             htmlFor="Feeds__prioritize"
diff --git a/frontend/tests/components/feeds/Feeds.test.jsx b/frontend/tests/components/feeds/Feeds.test.jsx
index 38a4ea80..f51d4662 100644
--- a/frontend/tests/components/feeds/Feeds.test.jsx
+++ b/frontend/tests/components/feeds/Feeds.test.jsx
@@ -72,8 +72,6 @@ describe("Feeds component", () => {
     expect(feedTypeSelectElement).toBeInTheDocument();
     const attackTypeSelectElement = screen.getByLabelText("Attack type:");
     expect(attackTypeSelectElement).toBeInTheDocument();
-    const iocTypeSelectElement = screen.getByLabelText("IOC type:");
-    expect(iocTypeSelectElement).toBeInTheDocument();
     const prioritizationSelectElement = screen.getByLabelText("Prioritize:");
     expect(prioritizationSelectElement).toBeInTheDocument();
 
@@ -85,23 +83,13 @@ describe("Feeds component", () => {
 
     await user.selectOptions(feedTypeSelectElement, "log4j");
     await user.selectOptions(attackTypeSelectElement, "scanner");
-    await user.selectOptions(iocTypeSelectElement, "ip");
     await user.selectOptions(prioritizationSelectElement, "persistent");
 
     await waitFor(() => {
-      // check link has been changed including ioc_type parameter
+      // check link has been changed
       expect(buttonRawData).toHaveAttribute(
         "href",
-        "/api/feeds/log4j/scanner/persistent.json?ioc_type=ip"
-      );
-    });
-
-    // Test selecting domain IOC type
-    await user.selectOptions(iocTypeSelectElement, "domain");
-    await waitFor(() => {
-      expect(buttonRawData).toHaveAttribute(
-        "href",
-        "/api/feeds/log4j/scanner/persistent.json?ioc_type=domain"
+        "/api/feeds/log4j/scanner/persistent.json"
       );
     });
   });
diff --git a/tests/__init__.py b/tests/__init__.py
index e7a23e29..31329e0d 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -81,36 +81,12 @@ def setUpTestData(cls):
             expected_interactions=11.1,
         )
 
-        cls.ioc_domain = IOC.objects.create(
-            name="malicious.example.com",
-            type=iocType.DOMAIN.value,
-            first_seen=cls.current_time,
-            last_seen=cls.current_time,
-            days_seen=[cls.current_time],
-            number_of_days_seen=1,
-            attack_count=1,
-            interaction_count=1,
-            log4j=True,
-            cowrie=False,
-            scanner=False,
-            payload_request=True,
-            related_urls=[],
-            ip_reputation="",
-            asn=None,
-            destination_ports=[],
-            login_attempts=0,
-            recurrence_probability=0.2,
-            expected_interactions=5.5,
-        )
-
         cls.ioc.general_honeypot.add(cls.heralding)  # FEEDS
         cls.ioc.general_honeypot.add(cls.ciscoasa)  # FEEDS
         cls.ioc.save()
         cls.ioc_2.general_honeypot.add(cls.heralding)  # FEEDS
         cls.ioc_2.general_honeypot.add(cls.ciscoasa)  # FEEDS
         cls.ioc_2.save()
-        cls.ioc_domain.general_honeypot.add(cls.heralding)  # FEEDS
-        cls.ioc_domain.save()
 
         cls.cmd_seq = ["cd foo", "ls -la"]
         cls.hash = sha256("\n".join(cls.cmd_seq).encode()).hexdigest()
diff --git a/tests/test_serializers.py b/tests/test_serializers.py
index f78ebc0f..fb56cfee 100644
--- a/tests/test_serializers.py
+++ b/tests/test_serializers.py
@@ -25,7 +25,6 @@ def test_valid_fields(self):
         choices = {
             "feed_type": ["all", "log4j", "cowrie", "adbhoney"],
             "attack_type": ["all", "scanner", "payload_request"],
-            "ioc_type": ["ip", "domain", "all"],
             "max_age": [str(n) for n in [1, 2, 4, 8, 16]],
             "min_days_seen": [str(n) for n in [1, 2, 4, 8, 16]],
             "include_reputation": [[], ["known attacker"], ["known attacker", "mass scanner"]],
diff --git a/tests/test_views.py b/tests/test_views.py
index 21672157..e6d9c587 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -61,40 +61,29 @@ def test_200_all_feeds(self):
         response = self.client.get("/api/feeds/all/all/recent.json")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-
-        iocs = response.json()["iocs"]
-        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
-        self.assertIsNotNone(target_ioc)
-
-        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(target_ioc["attack_count"], 1)
-        self.assertEqual(target_ioc["scanner"], True)
-        self.assertEqual(target_ioc["payload_request"], True)
-        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
+        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
+        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
+        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
+        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_general_feeds(self):
         response = self.client.get("/api/feeds/heralding/all/recent.json")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-
-        iocs = response.json()["iocs"]
-        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
-        self.assertIsNotNone(target_ioc)
-
-        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(target_ioc["attack_count"], 1)
-        self.assertEqual(target_ioc["scanner"], True)
-        self.assertEqual(target_ioc["payload_request"], True)
-        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
+        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
+        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
+        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
+        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_feeds_scanner_inclusion(self):
         response = self.client.get("/api/feeds/heralding/all/recent.json?include_mass_scanners")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-        # Expecting 3 because setupTestData creates 3 IOCs (ioc, ioc_2, ioc_domain) associated with Heralding
-        self.assertEqual(len(response.json()["iocs"]), 3)
+        self.assertEqual(len(response.json()["iocs"]), 2)
 
     def test_400_feeds(self):
         response = self.client.get("/api/feeds/test/all/recent.json")
@@ -103,55 +92,24 @@ def test_400_feeds(self):
     def test_200_feeds_pagination(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 2)
+        self.assertEqual(response.json()["count"], 1)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_inclusion_mass(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_mass_scanners")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 3)
+        self.assertEqual(response.json()["count"], 2)
 
     def test_200_feeds_pagination_inclusion_tor(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_tor_exit_nodes")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 3)
+        self.assertEqual(response.json()["count"], 2)
 
     def test_200_feeds_pagination_inclusion_mass_and_tor(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&include_mass_scanners&include_tor_exit_nodes")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 4)
-
-    def test_200_feeds_filter_ip_only(self):
-        response = self.client.get("/api/feeds/all/all/recent.json?ioc_type=ip")
-        self.assertEqual(response.status_code, 200)
-        # Should only return IP addresses, not domains
-        for ioc in response.json()["iocs"]:
-            # Verify all returned values are IPs (contain dots and numbers pattern)
-            self.assertRegex(ioc["value"], r"^\d+\.\d+\.\d+\.\d+$")
-
-    def test_200_feeds_filter_domain_only(self):
-        response = self.client.get("/api/feeds/all/all/recent.json?ioc_type=domain")
-        self.assertEqual(response.status_code, 200)
-        # Should only return domains, not IPs
-        self.assertGreater(len(response.json()["iocs"]), 0)
-        for ioc in response.json()["iocs"]:
-            # Verify all returned values are domains (contain alphabetic characters)
-            self.assertRegex(ioc["value"], r"[a-zA-Z]")
-
-    def test_200_feeds_pagination_filter_ip(self):
-        response = self.client.get(
-            "/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&ioc_type=ip&include_mass_scanners&include_tor_exit_nodes"
-        )
-        self.assertEqual(response.status_code, 200)
-        # Should return only IPs (3 in test data)
         self.assertEqual(response.json()["count"], 3)
 
-    def test_200_feeds_pagination_filter_domain(self):
-        response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=all&age=recent&ioc_type=domain")
-        self.assertEqual(response.status_code, 200)
-        # Should return only domains (1 in test data)
-        self.assertEqual(response.json()["count"], 1)
-
     def test_400_feeds_pagination(self):
         response = self.client.get("/api/feeds/?page_size=10&page=1&feed_type=all&attack_type=test&age=recent")
         self.assertEqual(response.status_code, 400)
@@ -166,33 +124,23 @@ def test_200_all_feeds(self):
         response = self.client.get("/api/feeds/advanced/")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-
-        iocs = response.json()["iocs"]
-        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
-        self.assertIsNotNone(target_ioc)
-
-        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(target_ioc["attack_count"], 1)
-        self.assertEqual(target_ioc["scanner"], True)
-        self.assertEqual(target_ioc["payload_request"], True)
-        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
+        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
+        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
+        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
+        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
 
     def test_200_general_feeds(self):
         response = self.client.get("/api/feeds/advanced/?feed_type=heralding")
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()["license"], FEEDS_LICENSE)
-
-        iocs = response.json()["iocs"]
-        target_ioc = next((i for i in iocs if i["value"] == self.ioc.name), None)
-        self.assertIsNotNone(target_ioc)
-
-        self.assertEqual(target_ioc["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
-        self.assertEqual(target_ioc["attack_count"], 1)
-        self.assertEqual(target_ioc["scanner"], True)
-        self.assertEqual(target_ioc["payload_request"], True)
-        self.assertEqual(target_ioc["recurrence_probability"], self.ioc.recurrence_probability)
-        self.assertEqual(target_ioc["expected_interactions"], self.ioc.expected_interactions)
+        self.assertEqual(response.json()["iocs"][0]["feed_type"], ["log4j", "cowrie", "heralding", "ciscoasa"])
+        self.assertEqual(response.json()["iocs"][0]["attack_count"], 1)
+        self.assertEqual(response.json()["iocs"][0]["scanner"], True)
+        self.assertEqual(response.json()["iocs"][0]["payload_request"], True)
+        self.assertEqual(response.json()["iocs"][0]["recurrence_probability"], self.ioc.recurrence_probability)
+        self.assertEqual(response.json()["iocs"][0]["expected_interactions"], self.ioc.expected_interactions)
 
     def test_400_feeds(self):
         response = self.client.get("/api/feeds/advanced/?attack_type=test")
@@ -201,7 +149,7 @@ def test_400_feeds(self):
     def test_200_feeds_pagination(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 4)
+        self.assertEqual(response.json()["count"], 3)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_include(self):
@@ -213,13 +161,13 @@ def test_200_feeds_pagination_include(self):
     def test_200_feeds_pagination_exclude_mass(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1&exclude_reputation=mass%20scanner")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 3)
+        self.assertEqual(response.json()["count"], 2)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_200_feeds_pagination_exclude_tor(self):
         response = self.client.get("/api/feeds/advanced/?paginate=true&page_size=10&page=1&exclude_reputation=tor%20exit%20node")
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.json()["count"], 3)
+        self.assertEqual(response.json()["count"], 2)
         self.assertEqual(response.json()["total_pages"], 1)
 
     def test_400_feeds_pagination(self):
@@ -268,10 +216,9 @@ def test_200_feed_types(self):
 
         response = self.client.get("/api/statistics/feeds_types")
         self.assertEqual(response.status_code, 200)
-        # Expecting 3 because setupTestData creates 3 IOCs (ioc, ioc_2, ioc_domain) associated with Heralding
-        self.assertEqual(response.json()[0]["Heralding"], 3)
+        self.assertEqual(response.json()[0]["Heralding"], 2)
         self.assertEqual(response.json()[0]["Ciscoasa"], 2)
-        self.assertEqual(response.json()[0]["Log4j"], 3)
+        self.assertEqual(response.json()[0]["Log4j"], 2)
         self.assertEqual(response.json()[0]["Cowrie"], 3)
         self.assertEqual(response.json()[0]["Tanner"], 0)