PythonThreat HuntingThreat IntelligenceSOCMySQL

The Problem It Solves

During investigations you collect malicious IPs, file hashes, and domains. Without a proper system, these end up scattered across notes files and spreadsheets with no way to query them, no status tracking, and no confidence scoring. This tool gives you a proper database backend for all of it.

Every IOC gets a timestamp, confidence level, source, tags, and a status field. It pairs directly with the VT Bulk Enricher and the Python SIEM.


IOC Fields
ioc The indicator value (IP, hash, domain, etc.)
type hash / ip / domain / url / email / other
confidence low / medium / high
status active / false_positive / expired
tags Comma-separated labels (e.g. tor,c2,emotet)
date_added Set automatically on insert

Usage
# Add a malicious IP
python3 ioc_db.py add --ioc 185.220.101.45 --type ip --confidence high --tags "tor,c2"

# Search (partial match works)
python3 ioc_db.py search --ioc 185.220

# Export to CSV
python3 ioc_db.py export --output iocs.csv