Twitter IOC feeds
TI Feed Twitter IO Cs
Query
// Collect external data from @0xDanielLopez Github. There is a UI for TweetFeed, this can be accessed on https://tweetfeed.live/
// TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes.
// Variables that are used:
let TimeRange = 7d; //Customizable h = hours, d = days
// Phishing and Spam IPs are most sensitive to false positves. Only enable this variable if you do want to include them.
let IncludeSpamPhishingIPS = false;
let TweetFeedLastMonth = externaldata(IOCTimeGenerated:datetime, TwitterUser:string, IOCType:string, IOC:string, IOCCatagory:string, TweetLink:string)[h@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"] with(format="csv");
// Get overall statstics of the dataset.
let IOCStatistics = TweetFeedLastMonth
| summarize Total = count() by IOCType;
// All lines below are used to get lists of IOCs which can be mapped against tables. If you only want to use a some of those entries, remove the others for the best performance.
// Collect IP IOCS and validate IP addresses. Variable for Phishing and Spam is used as defined above.
let IPEntries = TweetFeedLastMonth
| where IOCType == "ip"
| where not(IOCCatagory in ('#phishing', '#phishing #scam', '#scam') and IncludeSpamPhishingIPS == false)
| distinct IOC
| where IOC matches regex '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
// Collect domain entries and make them lowercase.
let DomainEntries = TweetFeedLastMonth
| where IOCType == "domain"
| distinct tolower(IOC);
// Collect domain entries and make them lowercase. remove all HTTP(S):// from the domain
let URLEntries = TweetFeedLastMonth
| where IOCType == "url"
| distinct IOC
| extend StrippedDomain1 = extract(@'//(.*)', 1, IOC);
// Collect MD5 IOCS and validate md5 value
let MD5Entries = TweetFeedLastMonth
| where IOCType == "md5"
| distinct IOC
| where IOC matches regex '[a-f0-9]{32}';
// Collect sha256 IOCS and validate sha256 value
let SHA256Entries = TweetFeedLastMonth
| where IOCType == "sha256"
| distinct IOC
| where IOC matches regex '[a-fA-F0-9]{64}';
// The next lines will be used to search your tenant on the IOCs that are in the TweetFeed. This is done by combining multiple tables into one end result.
// Lookups are used to gain additional information on the IOC
union isfuzzy=true
// List IOC statistics
(IOCStatistics),
// List IP IOC matches if they exsists.
(DeviceNetworkEvents
| where TimeGenerated > ago(TimeRange)
| where RemoteIP in (IPEntries)
| lookup kind=inner (TweetFeedLastMonth) on $left.RemoteIP == $right.IOC
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)),
// List domain IOC matches if they exsists.
(DeviceNetworkEvents
| where TimeGenerated > ago(TimeRange)
| where RemoteUrl has_any (DomainEntries)
| lookup kind=inner (TweetFeedLastMonth) on $left.RemoteUrl == $right.IOC),
// List url IOC matches if they exsists.
(DeviceNetworkEvents
| where TimeGenerated > ago(TimeRange)
| where RemoteUrl in (URLEntries)
| lookup kind=inner (TweetFeedLastMonth) on $left.RemoteUrl == $right.IOC),
(DeviceFileEvents
| where TimeGenerated > ago(TimeRange)
| where MD5 in (MD5Entries)
| lookup kind=inner (TweetFeedLastMonth) on $left.MD5 == $right.IOC),
(DeviceFileEvents
| where TimeGenerated > ago(TimeRange)
| where SHA256 in (SHA256Entries)
| lookup kind=inner (TweetFeedLastMonth) on $left.SHA256 == $right.IOC)
// Reorder columns to first get info on IOC
| project-reorder IOCType, Total, IOCTimeGenerated, IOCCatagory, TweetLink, RemoteIP, RemoteUrl, MD5, SHA256About this query
Explanation
This query is designed to help identify Indicators of Compromise (IOCs) in your environment using data from the infosec community on Twitter. Here's a simple breakdown of what it does:
-
Data Source: It uses a list of tweets from the infosec community, which are compiled into feeds available at tweetfeed.live. The data includes malicious IPs, domains, URLs, and file hashes (MD5 and SHA256).
-
IOC Types: The query searches for various types of IOCs, including IP addresses, domains, URLs, and file hashes (MD5 and SHA256).
-
Categories: It includes IOCs related to threats like CobaltStrike, Ransomware, AgentTesla, and Qakbot.
-
Variables:
TimeRange: Specifies the time period to search within (default is 7 days).IncludeSpamPhishingIPS: Determines whether to include phishing and spam IPs, which are prone to false positives (default is false).
-
Process:
- It first gathers statistics about the dataset.
- Then, it collects and validates different types of IOCs (IPs, domains, URLs, MD5, and SHA256).
- The query searches your environment for any matches with these IOCs.
- If matches are found, it provides details about the IOC, the originating tweet, and the IOC category.
- It also enriches IP data with geographical information.
-
Output: The results show any detected IOCs in your environment, along with relevant details like the type of IOC, the tweet it came from, and its category.
This query is useful for security analysts looking to identify potential threats in their network by leveraging community-shared intelligence from Twitter.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators