Paste a threat report, advisory, or log and pull out every IP, domain, URL, hash, CVE and email. Defanged indicators (hxxp, [.], [@]) are understood, deduped with counts, and honestly flagged.
paste text — reports, advisories, logs
watchlist (one value per line — matches get a ★, stays in this browser)
what was detected
summary
filter by type
indicators
| type | value | count | line | flags | copy |
|---|---|---|---|---|---|
| IPv4 | 10.0.0.5 | 1 | 1 | private | |
| IPv4 | 185.220.101.45 | 1 | 1 | ||
| MD5 | 44d88612fea8a8f36de82e1278abb02f | 1 | 1 | ||
| IPv4 | 45.66.77.88 | 1 | 1 | was defanged | |
| CVE | CVE-2024-1709 | 1 | 1 | ||
| Domain | github.com | 1 | 1 | benign | |
| URL | http://malicious.top/gate.php | 1 | 1 | was defanged | |
| [email protected] | 1 | 1 | was defanged |
export
freeWhat it detects
| IOC type | example |
|---|---|
| IPv4 / IPv6 | 185.220.101.45, 2001:db8::1 |
| Domain | malicious.top, corp-security.com |
| URL | http://malicious.top/gate.php |
| [email protected] | |
| Hashes (MD5/SHA-1/SHA-256/SHA-512) | 44d88612fea8a8f36de82e1278abb02f |
| CVE | CVE-2024-1709 |
| MAC address | 00:1b:44:11:3a:b7 |
| UUID | 550e8400-e29b-41d4-a716-446655440000 |
| Registry key (heuristic) | HKLM\Software\Run |
| File path (heuristic) | C:\Windows\Temp\a.exe |
| Bitcoin address (heuristic) | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
Defang styles it understands
| style | refanged |
|---|---|
| Bracketed dot | malicious[.]top → malicious.top |
| Neutralized scheme | hxxp:// → http:// |
| Bracketed at-sign | ops[@]corp → ops@corp |
| Escaped / spaced dot | 45[.]66[.]77[.]88 → 45.66.77.88 |
| “dot” / (dot) | evil(dot)com → evil.com |
Honest false-positive handling. Nothing is dropped silently. Private / loopback / doc-range / reserved IPs are kept but labelled; domains on a curated allowlist are flagged benign; and ambiguous types (Bitcoin, registry keys, file paths) carry a heuristic badge. Anything only found after refanging is marked was defanged.
FAQ
What is an IOC (indicator of compromise)?
An indicator of compromise is a piece of forensic data — an IP address, domain, URL, file hash, email address, or CVE — that suggests a system may have been breached or is being targeted. Threat reports and advisories are full of them, often mixed into prose. This tool scans arbitrary text and pulls every indicator it recognizes into a clean, deduped, copy-ready table.
How do I extract IPs, hashes, or domains from a threat report?
Paste the whole report (or drop in a log or advisory) into the box. The extractor immediately lists every IPv4/IPv6 address, domain, URL, email, MD5/SHA-1/SHA-256/SHA-512 hash, CVE, MAC address and UUID it finds, with an occurrence count and the first line each appeared on. Use the type filter chips to narrow to just IPs or just hashes, then copy that type with one click.
Does it upload my data anywhere?
No. Extraction runs 100% in your browser — the text you paste never leaves the page. Your watchlist is stored only in this browser’s local storage. Pro exports are also generated client-side; the only network call the tool ever makes is an optional license check when you activate a Pro key, and that sends just the key, never your data.
What is defanging, and does this handle it?
Defanging neutralizes an indicator so it can’t be clicked or resolved by accident — for example writing hxxp://malicious[.]top instead of the live URL, or ops[@]corp instead of a real email. The extractor refangs the text first, so defanged indicators are detected as real values, and it flags anything that was only found after refanging so you know it appeared neutralized in the source.
How does it avoid false positives?
Honestly and visibly, never silently. Private, loopback, documentation-range and reserved IPs are kept but labelled; domains on a curated allowlist are flagged “benign”; and inherently ambiguous types (Bitcoin addresses, registry keys, file paths) carry a “heuristic” badge so you know they are best-effort, not authoritative. Nothing is dropped without a visible reason.
Can it export STIX or MISP?
Yes — with Pro. Activate a Bokamba Pro license and you can download the extracted IOCs as CSV, JSON, a STIX 2.1 bundle of indicator objects, or a MISP freetext import. All four are generated in your browser from the same in-page results; nothing is sent to a server.
Learn & extract by type
Need to redact instead of extract? → Scrub sensitive data with LogScrub — mask IPs, emails, hostnames and secrets before you share a log.