A command line tool that extracts and enriches Indicators of Compromise from threat reports and text files.
Supports defanged IOCs (e.g. 1.1.1[.]1, hxxps://), queries AbuseIPDB for IP reputation, VirusTotal for domains, hashes, and email domains, and NVD for CVE details.
- IP addresses (AbuseIPDB: confidence score, report count, country)
- Domains (VirusTotal: vendor verdict counts)
- Email addresses (VirusTotal: sender domain reputation)
- MD5, SHA256, and SHA1 hashes (VirusTotal)
- CVE IDs (NVD: description, severity)
Python 3.x
pip install -r requirements.txt
Create a file named api_keys.env in the project folder:
IPDB_KEY=your_abuseipdb_key_here
VIRUSTOTAL_KEY=your_virustotal_key_here
Get free API keys at abuseipdb.com and virustotal.com.
API keys are optional. The script will still extract IOCs without them, just without enrichment data.
NVD requires no API key.
# print to terminal
python ioc_extractor.py --file report.txt
# save as JSON
python ioc_extractor.py --file report.txt --out json
# save as CSV
python ioc_extractor.py --file report.txt --out csv
# save as SQLite database
python ioc_extractor.py --file report.txt --out sqliteEnriching IPs with AbuseIPDB...
Enriching Domains, Hashes, and Email domains with VirusTotal...
Enriching CVEs with NVD...
Enriched IPs:
185.220.101.45 | score: 100 | reports: 117 | MALICIOUS | DE
193.32.162.58 | score: 2 | reports: 2 | CLEAN | RO
192.168.10.55 (private)
10.0.0.23 (private)
45.153.160.140 | score: 0 | reports: 0 | CLEAN | NL
Enriched Domains:
cdn-update.net | malicious: 0 | suspicious: 0 | CLEAN
secure-login.com | malicious: 2 | suspicious: 0 | SUSPICIOUS
Enriched MD5 Hashes:
bb5d4f1ef8c134468d4b686b95969b1e (error: 404)
Enriched SHA256 Hashes:
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f | malicious: 65 | suspicious: 0 | MALICIOUS
Enriched SHA1 Hashes:
da39a3ee5e6b4b0d3255bfef95601890afd80709 | malicious: 0 | suspicious: 0 | CLEAN
Enriched Email Domains:
threat-intel@security-org.com | malicious: 0 | suspicious: 0 | CLEAN
noreply@estream.to | malicious: 0 | suspicious: 1 | CLEAN
support@cdn-update.net | malicious: 0 | suspicious: 0 | CLEAN
Enriched CVEs:
CVE-2022-30190 | HIGH | A remote code execution vulnerability exists when MSDT is called using the URL p...
CVE-2021-44228 | CRITICAL | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12...
CVE-2023-23397 | CRITICAL | Microsoft Outlook Elevation of Privilege Vulnerability...
Total IOCs: 16
Any plain text file: threat intelligence reports, emails, paste dumps, security advisories. Defanged IOCs are normalized automatically before extraction.
results.json— structured JSON for use in other tools or pipelinesresults.csv— opens in Excel, importable into most SIEMsiocs.db— SQLite database, supports cross-report querying and persistent IOC storage
All IOC types are stored in a single iocs table:
id | type | value | verdict | score | reports | country | malicious | suspicious | harmless | description | severity | error | source | timestamp
source stores the report filename so you can query across multiple reports:
SELECT source, type, value, verdict FROM iocs WHERE verdict = 'MALICIOUS' OR verdict = 'SUSPICIOUS'
SELECT value, COUNT(*) as seen_in_reports FROM iocs GROUP BY value HAVING COUNT(*) > 1Raw logs (auth, network, system)
|
v
SQL investigation (queries, correlation, findings)
|
v
Investigation report (.txt)
|
v
IOC Extractor (extract + enrich via AbuseIPDB, VirusTotal, NVD)
|
v
iocs.db (persistent, queryable, cross-investigation)