Building a Threat Intelligence Feed using the Twitter API and a bit of code

A few examples

Pretty printing the feed using the JQ tool, a JSON command-line processor, allows us the more clearly view the results.

curl https://twitter.threatintel.rocks/ --silent | jq
curl https://twitter.threatintel.rocks/ --silent | jq -r '.malicious_urls | .[]'

Generating a list of IP addresses from the most reported URLs

The following command allows you to extract all values from the malicious_ips array and sort it on occurrence.

curl https://twitter.threatintel.rocks/ --silent | jq '.malicious_ips |  .[]?' -r | sort | uniq -c | sort -nr

Generating a list of top contributors of malicious URLs.

This only contains contributors that have been active since the launch of the feed. However, it’s continuously updated.

curl https://twitter.threatintel.rocks/ --silent | jq -r .username | sort | uniq -c | sort -nr

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store