IOC Feeds
Free IOC Feeds (CSV, JSON, TXT, RSS) - phishing, malware, scam
IOC Feeds
Full feeds from today, last week, last month and last year
CSV Feeds
RSS Feed
MISP Feed
Native MISP feed format (4 Events refreshed every 15 minutes, deterministic UUIDs so consumers dedupe across pulls). Add the manifest URL to your MISP instance under Sync Actions → Feeds → Add to import all 4 events automatically. Tags applied: TweetFeed · type:OSINT · tlp:clear.
Frequently asked questions
What is an IOC feed?
An indicator of compromise (IOC) feed is a continuously updated list of malicious URLs, domains, IPs and file hashes used by security teams to detect threats. TweetFeed collects IOCs shared publicly by researchers on Twitter/X and republishes them every 15 minutes in CSV, JSON, TXT and RSS.
Is TweetFeed free?
Yes. All TweetFeed IOC feeds and the REST API are free to download and use under a CC0 1.0 license. No registration or API key required.
How often are the IOC feeds updated?
Every 15 minutes. The pipeline scrapes around 95 Twitter/X RSS feeds, extracts new IOCs, deduplicates, and publishes refreshed CSV, JSON, TXT and RSS files to tweetfeed.live.
Which feed format should I choose?
CSV for spreadsheets and SIEM import, JSON for programmatic use, TXT for plain lists (one IOC per line), and RSS for subscribing in a feed reader. The data is identical across all four formats.
How do I import TweetFeed into MISP, OpenCTI or Splunk?
For MISP, point your instance at the manifest URL https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json under Sync Actions → Feeds → Add. It imports the 4 native MISP events (today/week/month/year) automatically with deterministic UUIDs for dedup across pulls. For OpenCTI and Splunk, point at the CSV URL and schedule periodic refresh. The Threat Hunting page lists ready-to-copy configuration snippets for MISP, OpenCTI, Splunk, KQL and IntelOwl.