{"service":"tweetfeed-mcp","protocol":"Model Context Protocol (MCP)","protocolVersion":"2025-11-25","transport":"HTTP JSON-RPC 2.0 (POST)","endpoint":"https://mcp.tweetfeed.live/","tools":[{"name":"query_iocs","description":"Query the TweetFeed API for Indicators of Compromise (IOCs: URLs, domains, IPs, MD5/SHA256 hashes) shared by the infosec community on Twitter/X. Returns matching rows with date, researcher handle, type, value, tags, and tweet URL. All data CC0 licensed. The 'year' time window is not supported here (too large for a tool response) - use the /v1/year HTTP redirect directly if you need it."},{"name":"check_url","description":"Check whether a URL (or substring) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed URL has been flagged by the public infosec Twitter/X community. Case-insensitive substring match against the 'value' field of type=url IOCs. Returns matching rows with date, researcher handle, value, tags, and source tweet URL."},{"name":"check_ip","description":"Check whether an IP address appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed IP has been flagged as attacker infrastructure (C2, scanner, phishing host) by the public infosec Twitter/X community. Substring match against the 'value' field of type=ip IOCs (so '1.2.3' will also match '1.2.3.4'). Pass a full IPv4 / IPv6 string for an exact-match feel."},{"name":"check_hash","description":"Check whether a file hash (MD5 or SHA-256) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if a binary sample has been shared by the public infosec Twitter/X community. Hash type auto-detected from length (32 hex = MD5, 64 hex = SHA-256). Exact match on hex value, case-insensitive."},{"name":"list_recent_iocs","description":"List TweetFeed IOCs added since a given date, useful for delta-syncing a blocklist or Threat Intelligence pipeline. Source is the 30-day month window so 'since' must be within the past 30 days; older queries return only the part within the month window. Optional 'type' and 'tag' filters narrow the result. Sorted newest first."},{"name":"get_tag_info","description":"Bundle of TweetFeed activity for a single tag: aggregate counts across today/week/month/year windows plus the most recent IOCs. Saves the agent from making three separate calls to assemble a tag overview. Tag can be passed with or without a leading '#'."},{"name":"get_trending","description":"Top tags and IOC-type distribution for a given time window, computed from the live counts.json aggregate. Useful for 'what is the infosec community talking about right now' or 'which malware family is spiking this week' queries. Source: https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/counts.json (regenerated every 15 min)."},{"name":"enrich_ioc","description":"Look up an IOC value in TweetFeed. First an EXACT lookup over the past 365 days (aggregated: first_seen, last_seen, count, reporters, tags, last source tweets; accepts defanged input and http/https variants), including AI-generated context (summary, malware family, threat type) when available. If no exact match, falls back to a 30-day substring scan with auto-detected type (URL / domain / IP / MD5 / SHA-256)."},{"name":"get_campaigns","description":"AI-clustered campaign groupings of the last 7 days of community-shared TweetFeed IOCs: each campaign bundles related URLs/domains/IPs/hashes under a name, a short context summary, a clustering confidence (high/medium/low), and a targeted brand when one was identified, plus a sample of member IOCs. Regenerated daily from a rolling 7-day window. Useful for 'what phishing campaigns are active right now' or 'is this IOC part of a larger campaign' queries. Optional filters narrow by targeted brand or minimum confidence."}],"docs":"https://tweetfeed.live/api.html","license":"CC0-1.0 (IOC data)","source":"https://github.com/0xDanielLopez/tweetfeed-mcp"}