Parse API

Collection of Parse APIs to enable extraction and parsing of Indicator of Compromise (IOCs) from a variety of sources.

Parse IOCs from URL

POST https://api.iocparser.com/url

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from a URL. Active

Headers

Name	Type	Description
Content-Type	string	application/json

Name

Type

Description

Content-Type

string

application/json

Request Body

Name	Type	Description
public	boolean	If False, the data won't be used for any other APIs. By default value set to True, please check notes
keys	array	IOC types to return Example - ["IPv4", "DOMAIN"]
url*	string	Valid URL

Name

Type

Description

public

boolean

If False, the data won't be used for any other APIs. By default value set to True, please check notes

keys

array

IOC types to return Example - ["IPv4", "DOMAIN"]

url*

string

Valid URL

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}

{
    "status": "error",
    "error": Response from the URL / "Error msg"
}

{
    "message": "Internal server error"
}

curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
	"url": "https://pastebin.com/iMzrRXbJ"
}'

import requests

url = "https://api.iocparser.com/url"

payload = {"url": "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/"}
headers = {
  'Content-Type': 'application/json'
}

response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())

package main

import (
  "fmt"
  "strings"
  "net/http"
  "io/ioutil"
)

func main() {

  url := "https://api.iocparser.com/url"
  method := "POST"

  payload := strings.NewReader("{\n	\"url\": \"https://pastebin.com/iMzrRXbJ\"\n}")

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
  }
  req.Header.Add("Content-Type", "application/json")

  res, err := client.Do(req)
  defer res.Body.Close()
  body, err := ioutil.ReadAll(res.Body)

  fmt.Println(string(body))
}

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");

var raw = JSON.stringify({"url":"https://pastebin.com/iMzrRXbJ"});

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("https://api.iocparser.com/url", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

Parse IOCs from Raw String

POST https://api.iocparser.com/raw

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Raw Text. The body size is limited to 200KB. Active

Headers

Name	Type	Description
Content-Type	string	text/plain

Name

Type

Description

Content-Type

string

text/plain

Request Body

Name	Type	Description
data*	string	Valid Raw Text

Name

Type

Description

data*

string

Valid Raw Text

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}

{
    "status": "error",
    "error": Response from the URL / "Error msg"
}

{
    "message": "Internal server error"
}

curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: text/plain' \
--data-raw '#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"'

import requests

url = "https://api.iocparser.com/raw"

payload = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\""
headers = {
  'Content-Type': 'text/plain'
}

response = requests.request("POST", url, headers=headers, data=payload)
print(response.json())

package main

import (
  "fmt"
  "strings"
  "net/http"
  "io/ioutil"
)

func main() {

  url := "https://api.iocparser.com/text"
  method := "POST"

  payload := strings.NewReader("#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"")

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
  }
  req.Header.Add("Content-Type", "text/plain")

  res, err := client.Do(req)
  defer res.Body.Close()
  body, err := ioutil.ReadAll(res.Body)

  fmt.Println(string(body))
}

var myHeaders = new Headers();
myHeaders.append("Content-Type", "text/plain");

var raw = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"";

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("https://api.iocparser.com/text", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

Parse IOCs from JSON String

POST https://api.iocparser.com/text

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from JSON Text. (The body size is limited to 200KB). Active

Headers

Name	Type	Description
Content-Type	string	application/json

Name

Type

Description

Content-Type

string

application/json

Request Body

Name	Type	Description
data*	string	Valid JSON Text
keys	array	IOC types to return Example - ["IPv4", "DOMAIN"]

Name

Type

Description

data*

string

Valid JSON Text

keys

array

IOC types to return Example - ["IPv4", "DOMAIN"]

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}

{
    "status": "error",
    "error": Response from the URL / "Error msg"
}

{
    "message": "Internal server error"
}

curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: application/json' \
--data-raw '{
	"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"
}'

import requests

url = "https://api.iocparser.com/text"

payload = {"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"}
headers = {
  'Content-Type': 'application/json'
}

response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())

package main

import (
  "fmt"
  "strings"
  "net/http"
  "io/ioutil"
)

func main() {

  url := "https://api.iocparser.com/text"
  method := "POST"

  payload := strings.NewReader("{\n	\"data\": \"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"\n}")

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
  }
  req.Header.Add("Content-Type", "application/json")

  res, err := client.Do(req)
  defer res.Body.Close()
  body, err := ioutil.ReadAll(res.Body)

  fmt.Println(string(body))
}

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");

var raw = JSON.stringify({"data":"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"});

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("https://api.iocparser.com/text", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

Parse IOCs from Twitter Profile

POST https://api.iocparser.com/twitter

The endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Twitter Users. Defaults to last 500 tweets. Active

Headers

Name	Type	Description
Content-Type	string	application/json

Name

Type

Description

Content-Type

string

application/json

Request Body

Name	Type	Description
keys	array	IOC Types to return Example - ["IPv4", "DOMAIN"]
data*	string	Twitter Username

Name

Type

Description

keys

array

IOC Types to return Example - ["IPv4", "DOMAIN"]

data*

string

Twitter Username

{
	"status": "success",
	"meta": {
		"name": "ScumBots",
		"username": "scumbots",
		"birthday": "1992",
		"biography": "I drop dox on scumbag bots and RATs.",
		"website": "",
		"profile_photo": "https://pbs.twimg.com/profile_images/861231607965003778/6wIhObGE_400x400.jpg",
		"likes_count": 15,
		"tweets_count": 25193,
		"followers_count": 3356,
		"following_count": 3
	},
	"data": [{
		"meta": {
			"tweetId": "1265493522729271296",
			"timestamp": "2020-05-27 04:02:22",
			"tweet": "#njRat SHA256: b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e C2: 070809kdg[.]p-e[.]kr:5552",
			"hashtags": [
				"#njRat"
			],
			"urls": []
		},
		"data": {
			"ASN": [],
			"BITCOIN_ADDRESS": [],
			"CVE": [],
			"DOMAIN": [
				"070809kdg.p-e.kr"
			],
			"EMAIL": [],
			"FILE_HASH_MD5": [],
			"FILE_HASH_SHA1": [],
			"FILE_HASH_SHA256": [
				"b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e"
			],
			"IPv4": [],
			"IPv6": [],
			"MITRE_ATT&CK": [],
			"URL": [],
			"YARA_RULE": [],
			"MAC_ADDRESS": [],
			"FILE_NAME": []
		}
	}]
}

{
    "status": "error",
    "error": Response from the URL / "Error msg"
}

{
    "message": "Internal server error"
}

curl --location --request POST 'https://api.iocparser.com/twitter' \
--header 'Content-Type: application/json' \
--data-raw '{
	"data": "scumbots"
}'

import requests

url = "https://api.iocparser.com/twitter"

payload = {"data": "scumbots"}
headers = {
  'Content-Type': 'application/json'
}

response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())

package main

import (
  "fmt"
  "strings"
  "net/http"
  "io/ioutil"
)

func main() {

  url := "https://api.iocparser.com/twitter"
  method := "POST"

  payload := strings.NewReader("{\n	\"data\": \"scumbots\"\n}")

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
  }
  req.Header.Add("Content-Type", "application/json")

  res, err := client.Do(req)
  defer res.Body.Close()
  body, err := ioutil.ReadAll(res.Body)

  fmt.Println(string(body))
}

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");

var raw = JSON.stringify({"data":"scumbots"});

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("https://api.iocparser.com/twitter", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

Notes

By setting the "public" parameter to False in /url API, your searches won't be used for Feed APIs. If you are comfortable with sharing your data to benefit everyone you can let it remain True.
/text and /raw are private by default, which means no data for those requests are stored.

By default IOC Parser will try to parse all of the IOCs available. To improve the speed of response, use the "keys" parameter when sending your API request. Example -

curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
	"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
	"keys": ["IPv4"]
}'

PreviousFeatures NextStatus API

Last updated 2 years ago