# Parse API
## Parse IOCs from URL
`POST` `https://api.iocparser.com/url`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from a URL.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| ------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------- |
| public | boolean | If False, the data won't be used for any other APIs. **By default value set to True, please check notes** |
| keys | array | IOC types to return
Example - \["IPv4", "DOMAIN"]
|
| url\* | string | Valid URL |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://pastebin.com/iMzrRXbJ"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/url"
payload = {"url": "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/url"
method := "POST"
payload := strings.NewReader("{\n \"url\": \"https://pastebin.com/iMzrRXbJ\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"url":"https://pastebin.com/iMzrRXbJ"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/url", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from Raw String
`POST` `https://api.iocparser.com/raw`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Raw Text. The body size is limited to 200KB.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ----------- |
| Content-Type | string | text/plain |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | -------------- |
| data\* | string | Valid Raw Text |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty Response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: text/plain' \
--data-raw '#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/raw"
payload = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\""
headers = {
'Content-Type': 'text/plain'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "text/plain")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "text/plain");
var raw = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"";
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from JSON String
`POST` `https://api.iocparser.com/text`
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from JSON Text. (The body size is limited to 200KB).\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | ----------------------------------------------------------- |
| data\* | string | Valid JSON Text |
| keys | array | IOC types to return
Example - \["IPv4", "DOMAIN"]
|
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
```
{% endtab %}
{% tab title="204 Empty Response" %}
```
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/text"
payload = {"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
## Parse IOCs from Twitter Profile
`POST` `https://api.iocparser.com/twitter`
The endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Twitter Users. Defaults to last 500 tweets.\ **Active**
#### Headers
| Name | Type | Description |
| ------------ | ------ | ---------------- |
| Content-Type | string | application/json |
#### Request Body
| Name | Type | Description |
| -------------------------------------- | ------ | ----------------------------------------------------------- |
| keys | array | IOC Types to return
Example - \["IPv4", "DOMAIN"]
|
| data\* | string | Twitter Username |
{% tabs %}
{% tab title="200 Success" %}
```
{
"status": "success",
"meta": {
"name": "ScumBots",
"username": "scumbots",
"birthday": "1992",
"biography": "I drop dox on scumbag bots and RATs.",
"website": "",
"profile_photo": "https://pbs.twimg.com/profile_images/861231607965003778/6wIhObGE_400x400.jpg",
"likes_count": 15,
"tweets_count": 25193,
"followers_count": 3356,
"following_count": 3
},
"data": [{
"meta": {
"tweetId": "1265493522729271296",
"timestamp": "2020-05-27 04:02:22",
"tweet": "#njRat SHA256: b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e C2: 070809kdg[.]p-e[.]kr:5552",
"hashtags": [
"#njRat"
],
"urls": []
},
"data": {
"ASN": [],
"BITCOIN_ADDRESS": [],
"CVE": [],
"DOMAIN": [
"070809kdg.p-e.kr"
],
"EMAIL": [],
"FILE_HASH_MD5": [],
"FILE_HASH_SHA1": [],
"FILE_HASH_SHA256": [
"b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e"
],
"IPv4": [],
"IPv6": [],
"MITRE_ATT&CK": [],
"URL": [],
"YARA_RULE": [],
"MAC_ADDRESS": [],
"FILE_NAME": []
}
}]
}
```
{% endtab %}
{% tab title="400 Fail" %}
```
{
"status": "error",
"error": Response from the URL / "Error msg"
}
```
{% endtab %}
{% tab title="502 Request Timeout" %}
```
{
"message": "Internal server error"
}
```
{% endtab %}
{% endtabs %}
{% tabs %}
{% tab title="cURL" %}
```bash
curl --location --request POST 'https://api.iocparser.com/twitter' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "scumbots"
}'
```
{% endtab %}
{% tab title="Python" %}
```python
import requests
url = "https://api.iocparser.com/twitter"
payload = {"data": "scumbots"}
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, json=payload)
print(response.json())
```
{% endtab %}
{% tab title="Go" %}
```go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/twitter"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"scumbots\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
```
{% endtab %}
{% tab title="Javascript" %}
```javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"scumbots"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/twitter", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
```
{% endtab %}
{% endtabs %}
###
### Notes
* By setting the **"public"** parameter to False in /url API, your searches won't be used for Feed APIs. If you are comfortable with sharing your data to benefit everyone you can let it remain True.
* /text and /raw are private by default, which means no data for those requests are stored.
* By default IOC Parser will try to parse all of the IOCs available. To improve the speed of response, use the **"keys"** parameter when sending your API request. Example -
```
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"keys": ["IPv4"]
}'
```