Parse API

Collection of Parse APIs to enable extraction and parsing of Indicator of Compromise (IOCs) from a variety of sources.

Parse IOCs from URL

POST https://api.iocparser.com/url

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from a URL. Active

Headers

Request Body

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
	"url": "https://pastebin.com/iMzrRXbJ"
}'

Parse IOCs from Raw String

POST https://api.iocparser.com/raw

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Raw Text. The body size is limited to 200KB. Active

Headers

Request Body

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: text/plain' \
--data-raw '#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"'

Parse IOCs from JSON String

POST https://api.iocparser.com/text

This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from JSON Text. (The body size is limited to 200KB). Active

Headers

Request Body

{
    "status": "success",
     "meta": {
        "title": "Who's Hacking the Hackers: No Honor Among Thieves",
        "description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
        "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
        "tags": []
    },
    "data": {
        "IPv4": [
            "165.227.217.146"
        ],
        "IPv6": [
        ],
        "URL": [
            "http://www.gstatic.com"
        ],
        "DOMAIN": [
            "lmlnzwlwgn.com"
        ],
        "FILE_HASH_MD5": [
            "C2405709A54EC95CDDCC5C598F34081C"
        ],
        "FILE_HASH_SHA1": [
            "04F453E614B75F818C01D1BD88F5825B98B68E3C"
        ],
        "FILE_HASH_SHA256": [
            "55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
        ],
        "EMAIL": [],
        "CVE": [
            "CVE-2019-0708"
        ],
        "YARA_RULE": [],
        "MITRE_ATT&CK": [
            "TA0002"
        ],
        "FILE_NAME": [
            "IPDP9E0.txt"
        ]
    }
}
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: application/json' \
--data-raw '{
	"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"
}'

Parse IOCs from Twitter Profile

POST https://api.iocparser.com/twitter

The endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Twitter Users. Defaults to last 500 tweets. Active

Headers

Request Body

{
	"status": "success",
	"meta": {
		"name": "ScumBots",
		"username": "scumbots",
		"birthday": "1992",
		"biography": "I drop dox on scumbag bots and RATs.",
		"website": "",
		"profile_photo": "https://pbs.twimg.com/profile_images/861231607965003778/6wIhObGE_400x400.jpg",
		"likes_count": 15,
		"tweets_count": 25193,
		"followers_count": 3356,
		"following_count": 3
	},
	"data": [{
		"meta": {
			"tweetId": "1265493522729271296",
			"timestamp": "2020-05-27 04:02:22",
			"tweet": "#njRat SHA256: b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e C2: 070809kdg[.]p-e[.]kr:5552",
			"hashtags": [
				"#njRat"
			],
			"urls": []
		},
		"data": {
			"ASN": [],
			"BITCOIN_ADDRESS": [],
			"CVE": [],
			"DOMAIN": [
				"070809kdg.p-e.kr"
			],
			"EMAIL": [],
			"FILE_HASH_MD5": [],
			"FILE_HASH_SHA1": [],
			"FILE_HASH_SHA256": [
				"b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e"
			],
			"IPv4": [],
			"IPv6": [],
			"MITRE_ATT&CK": [],
			"URL": [],
			"YARA_RULE": [],
			"MAC_ADDRESS": [],
			"FILE_NAME": []
		}
	}]
}
curl --location --request POST 'https://api.iocparser.com/twitter' \
--header 'Content-Type: application/json' \
--data-raw '{
	"data": "scumbots"
}'

Notes

  • By setting the "public" parameter to False in /url API, your searches won't be used for Feed APIs. If you are comfortable with sharing your data to benefit everyone you can let it remain True.

  • /text and /raw are private by default, which means no data for those requests are stored.

  • By default IOC Parser will try to parse all of the IOCs available. To improve the speed of response, use the "keys" parameter when sending your API request. Example -

    curl --location --request POST 'https://api.iocparser.com/url' \
    --header 'Content-Type: application/json' \
    --data '{
    	"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
    	"keys": ["IPv4"]
    }' 

Last updated