IOC Database
A command-line tool for storing, searching, tagging, and managing Indicators of Compromise in a local MySQL database. Built for threat hunters and SOC analysts who need a persistent, queryable IOC store.
During investigations you collect malicious IPs, file hashes, and domains. Without a proper system, these end up scattered across notes files and spreadsheets with no way to query them, no status tracking, and no confidence scoring. This tool gives you a proper database backend for all of it.
Every IOC gets a timestamp, confidence level, source, tags, and a status field. You can query by any combination of those fields, update statuses as investigations evolve, and export everything to CSV whenever needed. It pairs directly with the VT Bulk Enricher and the Python SIEM.
type hash / ip / domain / url / email / other
source Where it was found
confidence low / medium / high
status active / false_positive / expired
tags Comma-separated labels (e.g. tor,c2,emotet)
notes Free-text context field
date_added Set automatically on insert
python3 ioc_db.py add --ioc 185.220.101.45 --type ip --confidence high --tags "tor,c2"
# Search (partial match works)
python3 ioc_db.py search --ioc 185.220
# List all active IPs
python3 ioc_db.py list --type ip --status active
# Export to CSV
python3 ioc_db.py export --output iocs.csv