IOC Database
A command-line tool for storing, searching, tagging, and managing Indicators of Compromise in a local MySQL database. Built for threat hunters and SOC analysts who need a persistent, queryable IOC store.
During investigations you collect malicious IPs, file hashes, and domains. Without a proper system, these end up scattered across notes files and spreadsheets with no way to query them, no status tracking, and no confidence scoring. This tool gives you a proper database backend for all of it.
Every IOC gets a timestamp, confidence level, source, tags, and a status field. You can query by any combination of those fields, update statuses as investigations evolve, and export everything to CSV whenever you need it. It pairs directly with the VT Bulk Enricher: run enrichment on a batch, review the output, then commit confirmed malicious indicators here.
- ► Add IOCs with type, source, confidence, tags, and notes
- ► Supports hashes, IPs, domains, URLs, and email indicators
- ► Partial-match search across all stored IOCs
- ► Filter by type, status, or confidence level
- ► Update status: active, false positive, expired
- ► Export full database to CSV at any time
- ► Stats view showing breakdown by type, status, and confidence
- ► Credentials kept out of code via environment variable
ioc The indicator value (IP, hash, domain, etc.)
type hash / ip / domain / url / email / other
source Where it was found (firewall logs, VT, email, etc.)
confidence low / medium / high
status active / false_positive / expired
tags Comma-separated labels (e.g. tor, c2, emotet)
notes Free-text context field
date_added Set automatically on insert
last_updated Updated automatically on any change
python3 ioc_db.py add --ioc 185.220.101.45 --type ip --source "firewall logs" --confidence high --tags "tor,c2"
# Add a hash from VT enrichment
python3 ioc_db.py add --ioc d41d8cd98f00b204e9800998ecf8427e --type hash --source "VT enricher" --confidence high --tags "emotet"
# Search for an IOC (partial match works)
python3 ioc_db.py search --ioc 185.220
# List all active IPs
python3 ioc_db.py list --type ip --status active
# Mark an IOC as a false positive
python3 ioc_db.py update --id 3 --status false_positive
# Export to CSV
python3 ioc_db.py export --output my_iocs.csv
IOC DATABASE STATS
========================================
Total IOCs: 47
By type:
ip 23
hash 18
domain 6
By status:
active 41
false_positive 4
expired 2
By confidence:
high 30
medium 12
low 5
========================================
Threat hunting produces a lot of indicators and most people have no good system for managing them. Spreadsheets do not scale, notes files are unsearchable, and you lose context over time. This tool is a direct response to that problem.
Building it required me to think through how SOC workflows actually function: how an analyst moves from initial suspicion to confirmed indicator, how confidence changes over the course of an investigation, and how false positives need to be tracked rather than deleted. Those are real operational considerations, not just technical ones.
It also pairs intentionally with the VT Bulk Enricher, which reflects how I think about tooling: individual tools that do one thing well and compose together cleanly.