IOC Extractor | Extract IPs, Domains, Hashes from Text

What is Indicator Extraction?

Indicator extraction is the automated process of parsing text, files, or web pages to identify and extract Indicators of Compromise (IOCs), digital artifacts that suggest a security incident or malicious activity. These indicators include IP addresses (IPv4 and IPv6), URLs, domain names, email addresses, and file hashes (MD5, SHA-1, SHA-256). Security analysts use indicator extraction tools to quickly gather intelligence from threat reports, phishing emails, malware analysis logs, and incident response documentation.

Manually searching through lengthy security reports to find IOCs is time-consuming and error-prone. Our indicator extraction tool automates this process, using pattern matching to identify and categorize different indicator types in seconds. The tool supports multiple input methods, raw text, file uploads (up to 5MB), and URL-based extraction, making it versatile for various threat intelligence workflows.

How to Use the Indicator Extraction Tool

Step-by-Step Guide

1. Choose Your Input Method: Select from three tabs, Raw Text (paste content directly), File (upload .txt files), or URL (Beta, extracts from web pages).
2. Select Indicator Types: Use the checkboxes to filter which types of indicators you want to extract. Options include IPv4, IPv6, URL, Domain, Email, MD5, SHA-1, and SHA-256. Check "All" to extract every type.
3. Enter Your Data: Paste threat report text, upload a log file, or enter a URL containing the content to analyze.
4. Extract IOCs: Click the "Extract IOCs" button. The tool will parse your input and display organized results grouped by indicator type.
5. Copy Results: Each indicator type has two copy buttons, "Default" (comma-separated) and "Sanitize" (defanged format with brackets for safe sharing).

The extraction happens entirely server-side through our secure API. Results are categorized by type and displayed with a count, making it easy to see at a glance how many indicators were found. The sanitized (defanged) copy format replaces dots with [.] and colons with [:] to prevent accidental clicks on malicious links when sharing IOCs in reports or chat platforms.

Why Extract Indicators of Compromise?

Threat intelligence relies on timely identification and tracking of IOCs across systems. When a security researcher publishes a report about a new malware campaign, incident responders need to quickly extract IP addresses, domains, and file hashes to check if their organization has been affected. Indicator extraction speeds up this critical workflow, allowing analysts to move from detection to response without manual data parsing.

Common Use Cases

✓ Malware Analysis: Extract file hashes, C2 domains, and IP addresses from malware sandbox reports to block malicious infrastructure.
✓ Phishing Investigation: Parse phishing emails to extract sender addresses, malicious URLs, and attachment hashes for threat hunting.
✓ SIEM Integration: Gather IOCs from external threat reports and feed them into your SIEM for automated correlation and alerting.
✓ Incident Response: Quickly extract indicators from forensic logs, memory dumps, or network traffic captures during active investigations.
✓ Threat Hunting: Proactively search your environment for known IOCs extracted from the latest threat intelligence feeds.

Types of Indicators Supported

Network Indicators

IPv4 Addresses: Standard 32-bit IP addresses (e.g., 192.168.1.1)
IPv6 Addresses: 128-bit IP addresses (e.g., 2001:0db8::1)
URLs: Full web addresses including protocol and path
Domains: Domain names without protocol (e.g., example.com)
Email Addresses: Email identifiers used in phishing attacks

File Hash Indicators

MD5 Hashes: 128-bit cryptographic hashes (32 hex characters)
SHA-1 Hashes: 160-bit hashes (40 hex characters)
SHA-256 Hashes: 256-bit hashes (64 hex characters)

File hashes are used to uniquely identify malware samples and verify file integrity across systems.

Indicator Extraction Tool

Security Analysis Tools