# Parse API
## Parse IOCs from URL
`POST` `https://api.iocparser.com/url`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from a URL.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| ------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------- |
| public | boolean | If False, the data won't be used for any other APIs. **By default value set to True, please check notes** |
| keys | array | IOC types to return
Example - \["IPv4", "DOMAIN"]
|
| url\* | string | Valid URL |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://pastebin.com/iMzrRXbJ"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/url"
payload = {"url": "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/url"
method := "POST"
payload := strings.NewReader("{\n \"url\": \"https://pastebin.com/iMzrRXbJ\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"url":"https://pastebin.com/iMzrRXbJ"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/url", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from Raw String
`POST` `https://api.iocparser.com/raw`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Raw Text. The body size is limited to 200KB.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ----------- |
| Content-Type | string | text/plain |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | -------------- |
| data\* | string | Valid Raw Text |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty Response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: text/plain' \
--data-raw '#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/raw"
payload = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\""
headers = {
'Content-Type': 'text/plain'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "text/plain")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "text/plain");
var raw = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"";
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from JSON String
`POST` `https://api.iocparser.com/text`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from JSON Text. (The body size is limited to 200KB).\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | ----------------------------------------------------------- |
| data\* | string | Valid JSON Text |
| keys | array | IOC types to return
Example - \["IPv4", "DOMAIN"]
|
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty Response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/text"
payload = {"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from Twitter Profile
`POST` `https://api.iocparser.com/twitter`
The endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Twitter Users. Defaults to last 500 tweets.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | ----------------------------------------------------------- |
| keys | array | IOC Types to return
Example - \["IPv4", "DOMAIN"]
|
| data\* | string | Twitter Username |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"name": "ScumBots",
"username": "scumbots",
"birthday": "1992",
"biography": "I drop dox on scumbag bots and RATs.",
"website": "",
"profile_photo": "https://pbs.twimg.com/profile_images/861231607965003778/6wIhObGE_400x400.jpg",
"likes_count": 15,
"tweets_count": 25193,
"followers_count": 3356,
"following_count": 3
},
"data": [{
"meta": {
"tweetId": "1265493522729271296",
"timestamp": "2020-05-27 04:02:22",
"tweet": "#njRat SHA256: b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e C2: 070809kdg[.]p-e[.]kr:5552",
"hashtags": [
"#njRat"
],
"urls": []
},
"data": {
"ASN": [],
"BITCOIN_ADDRESS": [],
"CVE": [],
"DOMAIN": [
"070809kdg.p-e.kr"
],
"EMAIL": [],
"FILE_HASH_MD5": [],
"FILE_HASH_SHA1": [],
"FILE_HASH_SHA256": [
"b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e"
],
"IPv4": [],
"IPv6": [],
"MITRE_ATT&CK": [],
"URL": [],
"YARA_RULE": [],
"MAC_ADDRESS": [],
"FILE_NAME": []
}
}]
}
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/twitter' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "scumbots"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/twitter"
payload = {"data": "scumbots"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/twitter"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"scumbots\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"scumbots"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/twitter", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
###
### Notes
* By setting the **"public"** parameter to False in /url API, your searches won't be used for Feed APIs. If you are comfortable with sharing your data to benefit everyone you can let it remain True.
* /text and /raw are private by default, which means no data for those requests are stored.
* By default IOC Parser will try to parse all of the IOCs available. To improve the speed of response, use the **"keys"** parameter when sending your API request. Example -
```
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"keys": ["IPv4"]
}'
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.iocparser.com/api-reference/parse-api.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.