Parse API

Collection of Parse APIs to enable extraction and parsing of Indicator of Compromise (IOCs) from a variety of sources.

post
Parse IOCs from URL

https://api.iocparser.com/url
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from a URL.
Request
Response
Request
Headers
Content-Type
optional
string
application/json
Body Parameters
public
optional
boolean
If False, the data won't be used for any other APIs. By default value set to True, please check notes
keys
optional
array
IOC types to return Example - ["IPv4", "DOMAIN"]
url
required
string
Valid URL
Response
200: OK
Success
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
204: No Content
Empty response
400: Bad Request
Fail
{
"status": "error",
"error": Response from the URL / "Error msg"
}
502: Bad Gateway
Request Timeout
{
"message": "Internal server error"
}
cURL
Python
Go
Javascript
cURL
curl --location --request POST 'https://api.iocparser.com/url' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://pastebin.com/iMzrRXbJ"
}'
Python
import requests
url = "https://api.iocparser.com/url"
payload = "{\n\t\"url\": \"https://pastebin.com/iMzrRXbJ\"\n}"
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
Go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/url"
method := "POST"
payload := strings.NewReader("{\n \"url\": \"https://pastebin.com/iMzrRXbJ\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
Javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"url":"https://pastebin.com/iMzrRXbJ"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/url", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));

post
Parse IOCs from Text

https://api.iocparser.com/text
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Text data. (The body size is limited to 200KB)
Request
Response
Request
Headers
Content-Type
optional
string
application/json
Body Parameters
data
required
string
Valid JSON Text Data
keys
optional
array
IOC types to return Example - ["IPv4", "DOMAIN"]
Response
200: OK
Success
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
204: No Content
Empty Response
400: Bad Request
Fail
{
"status": "error",
"error": Response from the URL / "Error msg"
}
502: Bad Gateway
Request Timeout
{
"message": "Internal server error"
}
cURL
Python
Go
Javascript
cURL
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"
}'
Python
import requests
url = "https://api.iocparser.com/text"
payload = "{\n\t\"data\": \"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"\n}"
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
Go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
Javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));

post
Parse IOCs from Raw Text

https://api.iocparser.com/raw
This endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Raw Data. The body size is limited to 200KB.
Request
Response
Request
Headers
Content-Type
optional
string
text/plain
Body Parameters
keys
optional
array
IOC types to return Example - ["IPv4", "DOMAIN"]
data
required
string
Valid Raw Text Data
Response
200: OK
Success
{
"status": "success",
"meta": {
"title": "Who's Hacking the Hackers: No Honor Among Thieves",
"description": "Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.",
"url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
"tags": []
},
"data": {
"IPv4": [
"165.227.217.146"
],
"IPv6": [
],
"URL": [
"http://www.gstatic.com"
],
"DOMAIN": [
"lmlnzwlwgn.com"
],
"FILE_HASH_MD5": [
"C2405709A54EC95CDDCC5C598F34081C"
],
"FILE_HASH_SHA1": [
"04F453E614B75F818C01D1BD88F5825B98B68E3C"
],
"FILE_HASH_SHA256": [
"55028eeed2cea3fcfea987c1dc9f63a3a509a520882937c8ed2d758ac8dc9e42"
],
"EMAIL": [],
"CVE": [
"CVE-2019-0708"
],
"YARA_RULE": [],
"MITRE_ATT&CK": [
"TA0002"
],
"FILE_NAME": [
"IPDP9E0.txt"
]
}
}
204: No Content
Empty Response
400: Bad Request
Fail
{
"status": "error",
"error": Response from the URL / "Error msg"
}
502: Bad Gateway
Request Timeout
{
"message": "Internal server error"
}
cURL
Python
Go
Javascript
cURL
curl --location --request POST 'https://api.iocparser.com/text' \
--header 'Content-Type: text/plain' \
--data-raw '#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443"'
Python
import requests
url = "https://api.iocparser.com/text"
payload = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\""
headers = {
'Content-Type': 'text/plain'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
Go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/text"
method := "POST"
payload := strings.NewReader("#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "text/plain")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
Javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "text/plain");
var raw = "#PowerShell_CobaltStrike_Beacon_Reverse_HTTP_x86 SHA256: 73f27d0736457997141cde9bbedfa5e7f5a3706282d1999e00f8b1629ee5797a C2: starpingisd[.]net:443\"";
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/text", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));

post
Parse IOCs from Twitter

https://api.iocparser.com/twitter
The endpoint allows you to parse and extract Indicators of Compromise (IOCs) from Twitter Users.
Request
Response
Request
Headers
Content-Type
optional
string
application/json
Body Parameters
keys
optional
array
IOC Types to return Example - ["IPv4", "DOMAIN"]
data
optional
string
Twitter Username
Response
200: OK
Success
{
"status": "success",
"meta": {
"name": "ScumBots",
"username": "scumbots",
"birthday": "1992",
"biography": "I drop dox on scumbag bots and RATs.",
"website": "",
"profile_photo": "https://pbs.twimg.com/profile_images/861231607965003778/6wIhObGE_400x400.jpg",
"likes_count": 15,
"tweets_count": 25193,
"followers_count": 3356,
"following_count": 3
},
"data": [{
"meta": {
"tweetId": "1265493522729271296",
"timestamp": "2020-05-27 04:02:22",
"tweet": "#njRat SHA256: b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e C2: 070809kdg[.]p-e[.]kr:5552",
"hashtags": [
"#njRat"
],
"urls": []
},
"data": {
"ASN": [],
"BITCOIN_ADDRESS": [],
"CVE": [],
"DOMAIN": [
"070809kdg.p-e.kr"
],
"EMAIL": [],
"FILE_HASH_MD5": [],
"FILE_HASH_SHA1": [],
"FILE_HASH_SHA256": [
"b5c9e504c680d4d1eca7fc78736b505663d9cad9cfa161479a65c3f3ba48603e"
],
"IPv4": [],
"IPv6": [],
"MITRE_ATT&CK": [],
"URL": [],
"YARA_RULE": [],
"MAC_ADDRESS": [],
"FILE_NAME": []
}
}]
}
400: Bad Request
Fail
{
"status": "error",
"error": Response from the URL / "Error msg"
}
502: Bad Gateway
Request Timeout
{
"message": "Internal server error"
}
cURL
Python
Go
Javascript
cURL
curl --location --request POST 'https://api.iocparser.com/twitter' \
--header 'Content-Type: application/json' \
--data-raw '{
"data": "scumbots"
}'
Python
import requests
url = "https://api.iocparser.com/twitter"
payload = "{\n\t\"data\": \"scumbots\"\n}"
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
Go
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://api.iocparser.com/twitter"
method := "POST"
payload := strings.NewReader("{\n \"data\": \"scumbots\"\n}")
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
}
req.Header.Add("Content-Type", "application/json")
res, err := client.Do(req)
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
Javascript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({"data":"scumbots"});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://api.iocparser.com/twitter", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));

Notes

  • By setting the "public" parameter to False in /url API, your searches won't be used for Feed APIs. If you are comfortable with sharing your data to benefit everyone you can let it remain True.

  • /text and /raw are private by default, which means no data for those requests are stored.

  • By default IOC Parser will try to parse all of the IOCs available. To improve the speed of response, use the "keys" parameter when sending your API request. Example -

    curl --location --request POST 'https://api.iocparser.com/url' \
    --header 'Content-Type: application/json' \
    --data '{
    "url": "https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves",
    "keys": ["IPv4"]
    }'