// project
IOC Database
A command-line tool for storing, searching, tagging, and managing Indicators of Compromise in a local MySQL database. Built for threat hunters who need a persistent, queryable IOC store.
The Problem It Solves
During investigations you collect malicious IPs, file hashes, and domains. Without a proper system, these end up scattered across notes files and spreadsheets with no way to query them, no status tracking, and no confidence scoring. This tool gives you a proper database backend for all of it.
Every IOC gets a timestamp, confidence level, source, tags, and a status field. It pairs directly with the VT Bulk Enricher and the Python SIEM.
IOC Fields
ioc The indicator value (IP, hash, domain, etc.)
type hash / ip / domain / url / email / other
confidence low / medium / high
status active / false_positive / expired
tags Comma-separated labels (e.g. tor,c2,emotet)
date_added Set automatically on insert
type hash / ip / domain / url / email / other
confidence low / medium / high
status active / false_positive / expired
tags Comma-separated labels (e.g. tor,c2,emotet)
date_added Set automatically on insert
Usage
# Add a malicious IP
python3 ioc_db.py add --ioc 185.220.101.45 --type ip --confidence high --tags "tor,c2"
# Search (partial match works)
python3 ioc_db.py search --ioc 185.220
# Export to CSV
python3 ioc_db.py export --output iocs.csv
python3 ioc_db.py add --ioc 185.220.101.45 --type ip --confidence high --tags "tor,c2"
# Search (partial match works)
python3 ioc_db.py search --ioc 185.220
# Export to CSV
python3 ioc_db.py export --output iocs.csv