Documentation
How to use this tool, practical use cases, and technical notes.
The IOC Extractor is designed for speed. From paste to extracted results takes under 5 seconds on any volume of text. Here is the complete walkthrough.
Step 1 — Open the Tool Workspace
Navigate to the tool page and click "Open tool" to reveal the interactive workspace. The interface has two primary panels:
Left panel: IOC type toggles and the source text input area
Right panel: Live extraction results, organized by IOC category
No login, no account, no file upload required.
Step 2 — Select Your IOC Types
At the top of the workspace, 8 IOC type toggles are available. By default, all 8 are enabled. Toggle off any types you don't need to filter your results:
Toggle | When to Disable It |
|---|---|
IPv4 | When your text is a domain-only intel report and IP noise would clutter results |
Domain | When analyzing auth logs where all domains are internal and legitimate |
When processing network logs with no email context | |
MD5 | When you only want SHA-256 hashes (MD5 is deprecated for security use) |
SHA-1 | When focusing on modern malware using SHA-256 identification |
SHA-256 | Rarely — SHA-256 is the gold standard hash IOC |
URL | When extracting only network-layer IOCs (IPs and domains) for firewall ingestion |
CVE | When processing non-vulnerability-related threat intelligence |
Step 3 — Paste Your Source Text
Click into the "Paste threat intel to begin" source text area and paste any raw text. The tool accepts:
Input Type | Example Source |
|---|---|
Plain text | Threat intel blog post copied from browser |
Email body | Phishing email content (headers + body) |
Log snippets | Auth logs, proxy logs, firewall logs, syslog |
JSON/XML output | Malware sandbox detonation reports |
PDF text (copied) | Vendor threat report, CISA advisory |
CSV/TSV data | Exported SIEM alert data |
HTML source | Threat actor profile pages, OSINT pages |
Mixed format | Any combination of the above |
There is no file size limit enforced by the interface — paste as much text as needed. Performance remains fast for typical intelligence document sizes (up to ~100KB of text).
Step 4 — Review Live Extraction Results
As soon as text is pasted, the right panel populates with extracted IOCs in real time, organized under each enabled IOC type category. Results are automatically deduplicated — if the same IP address appears 12 times in a log file, it appears once in the results.
Reading your results:
Result Indicator | Meaning |
|---|---|
IOC count per category | Number of unique IOCs found of that type |
"0 categories · 8 types enabled" (initial) | No text pasted yet |
Results appear instantly | Live regex extraction firing on input |
Deduplicated count | Lower than raw occurrences — duplicates removed |
Step 5 — Try the Sample Inputs
Not sure what to paste first? Three built-in samples let you explore the tool's capabilities immediately:
Sample | What It Contains | IOC Types You'll See |
|---|---|---|
Phishing email | Simulated malicious email with sender, links, and attachment references | Emails, URLs, domains, hashes |
Auth log snippet | Simulated server authentication log with brute-force activity | IPv4 addresses, email addresses |
Threat intel feed | Simulated structured threat report with mixed IOC types | All 8 types |
Click any sample to instantly populate the source text area and see the extractor in action.
Step 6 — Validate Before Acting
The tool displays a critical reminder: "Validate IOCs before blocking — false positives are common with hashes and domains in prose."
This is essential operational guidance. Before feeding extracted IOCs into blocklists or SIEM rules:
IOC Type | Common False Positive Scenario | Validation Step |
|---|---|---|
IPv4 | RFC 1918 private IPs, loopback addresses, example IPs (192.0.2.x) | Filter RFC 1918 and documentation ranges |
Domain | Legitimate CDN domains, your own infrastructure domains | Cross-reference against allowlist |
Security researcher email addresses quoted in reports | Check sender reputation | |
MD5 | Empty file hash, common utility file hashes | Look up on VirusTotal or MalwareBazaar |
SHA-256 | Clean file hashes included for comparison in reports | Verify verdict on file reputation platforms |
URL | Defanged URLs (hxxp://) that weren't caught, or example URLs | Check defanging and URL reputation |
CVE | CVEs mentioned as "patched" or "not applicable to our stack" | Cross-reference with your asset inventory |
Step 7 — Export and Operationalize
Copy extracted IOCs from the results panel and feed them into your security stack:
Destination | IOC Types | Purpose |
|---|---|---|
Firewall / NGF block list | IPv4, domain | Block C2 communication |
DNS sinkhole (Pi-hole, BIND RPZ) | Domain | Redirect malicious DNS queries |
Web proxy category override | URL, domain | Block malicious web traffic |
EDR / AV exclusion/block list | MD5, SHA-1, SHA-256 | Block malicious file execution |
SIEM correlation rule | All types | Alert on IOC matches in logs |
Threat intelligence platform (MISP, OpenCTI) | All types | Enrich and share with community |
Vulnerability scanner / patch priority | CVE | Prioritize patching against active exploitation |
Email gateway block list | Email, domain | Block phishing senders |
The IOC Extractor is designed for speed. From paste to extracted results takes under 5 seconds on any volume of text. Here is the complete walkthrough.
Step 1 — Open the Tool Workspace
Navigate to the tool page and click "Open tool" to reveal the interactive workspace. The interface has two primary panels:
Left panel: IOC type toggles and the source text input area
Right panel: Live extraction results, organized by IOC category
No login, no account, no file upload required.
Step 2 — Select Your IOC Types
At the top of the workspace, 8 IOC type toggles are available. By default, all 8 are enabled. Toggle off any types you don't need to filter your results:
Toggle | When to Disable It |
|---|---|
IPv4 | When your text is a domain-only intel report and IP noise would clutter results |
Domain | When analyzing auth logs where all domains are internal and legitimate |
When processing network logs with no email context | |
MD5 | When you only want SHA-256 hashes (MD5 is deprecated for security use) |
SHA-1 | When focusing on modern malware using SHA-256 identification |
SHA-256 | Rarely — SHA-256 is the gold standard hash IOC |
URL | When extracting only network-layer IOCs (IPs and domains) for firewall ingestion |
CVE | When processing non-vulnerability-related threat intelligence |
Step 3 — Paste Your Source Text
Click into the "Paste threat intel to begin" source text area and paste any raw text. The tool accepts:
Input Type | Example Source |
|---|---|
Plain text | Threat intel blog post copied from browser |
Email body | Phishing email content (headers + body) |
Log snippets | Auth logs, proxy logs, firewall logs, syslog |
JSON/XML output | Malware sandbox detonation reports |
PDF text (copied) | Vendor threat report, CISA advisory |
CSV/TSV data | Exported SIEM alert data |
HTML source | Threat actor profile pages, OSINT pages |
Mixed format | Any combination of the above |
There is no file size limit enforced by the interface — paste as much text as needed. Performance remains fast for typical intelligence document sizes (up to ~100KB of text).
Step 4 — Review Live Extraction Results
As soon as text is pasted, the right panel populates with extracted IOCs in real time, organized under each enabled IOC type category. Results are automatically deduplicated — if the same IP address appears 12 times in a log file, it appears once in the results.
Reading your results:
Result Indicator | Meaning |
|---|---|
IOC count per category | Number of unique IOCs found of that type |
"0 categories · 8 types enabled" (initial) | No text pasted yet |
Results appear instantly | Live regex extraction firing on input |
Deduplicated count | Lower than raw occurrences — duplicates removed |
Step 5 — Try the Sample Inputs
Not sure what to paste first? Three built-in samples let you explore the tool's capabilities immediately:
Sample | What It Contains | IOC Types You'll See |
|---|---|---|
Phishing email | Simulated malicious email with sender, links, and attachment references | Emails, URLs, domains, hashes |
Auth log snippet | Simulated server authentication log with brute-force activity | IPv4 addresses, email addresses |
Threat intel feed | Simulated structured threat report with mixed IOC types | All 8 types |
Click any sample to instantly populate the source text area and see the extractor in action.
Step 6 — Validate Before Acting
The tool displays a critical reminder: "Validate IOCs before blocking — false positives are common with hashes and domains in prose."
This is essential operational guidance. Before feeding extracted IOCs into blocklists or SIEM rules:
IOC Type | Common False Positive Scenario | Validation Step |
|---|---|---|
IPv4 | RFC 1918 private IPs, loopback addresses, example IPs (192.0.2.x) | Filter RFC 1918 and documentation ranges |
Domain | Legitimate CDN domains, your own infrastructure domains | Cross-reference against allowlist |
Security researcher email addresses quoted in reports | Check sender reputation | |
MD5 | Empty file hash, common utility file hashes | Look up on VirusTotal or MalwareBazaar |
SHA-256 | Clean file hashes included for comparison in reports | Verify verdict on file reputation platforms |
URL | Defanged URLs (hxxp://) that weren't caught, or example URLs | Check defanging and URL reputation |
CVE | CVEs mentioned as "patched" or "not applicable to our stack" | Cross-reference with your asset inventory |
Step 7 — Export and Operationalize
Copy extracted IOCs from the results panel and feed them into your security stack:
Destination | IOC Types | Purpose |
|---|---|---|
Firewall / NGF block list | IPv4, domain | Block C2 communication |
DNS sinkhole (Pi-hole, BIND RPZ) | Domain | Redirect malicious DNS queries |
Web proxy category override | URL, domain | Block malicious web traffic |
EDR / AV exclusion/block list | MD5, SHA-1, SHA-256 | Block malicious file execution |
SIEM correlation rule | All types | Alert on IOC matches in logs |
Threat intelligence platform (MISP, OpenCTI) | All types | Enrich and share with community |
Vulnerability scanner / patch priority | CVE | Prioritize patching against active exploitation |
Email gateway block list | Email, domain | Block phishing senders |