Using TweetDeck for Threat Hunting

Security Operations Strategy

Keeping Up on Endless IoCs with TweetDeck

Keeping up on the latest news is never an easy task. With endless newsletters, feeds, and social media to keep track of, it can be a daunting task. To help with streamlining information security feeds, I’ve recently turned to TweetDeck, a very useful feature of Twitter. TweetDeck offers a multitude of customization, filters, and real-time scrolling options to ensure you are keeping up on not only what’s recent, but also what’s relevant.

TweetDeck: Initial Settings

When you first log in to TweetDeck with your Twitter account, you will notice that it comes with some preset panels that show off a few of the features. One of the first things you should do is head to settings in the bottom-left corner and choose the display and UI options that are comfortable for you: you can set column width and font size, auto scrolling, and autoplay for gifs and sensitive content. You can also use this opportunity to mute any words that you don’t want to see on your feed.

TweetDeck general settings showing visual and interactive options

Setting Up Your TweetDeck Feeds

When setting up new columns, using the + button on the left-hand menu, there are a wide variety of options to explore, from your timeline and notifications, to the timeline for a specific user, to tweets from a specific author or hashtag. Adding a new column will place it onto your TweetDeck, and it will start updating live. You can also curate lists with accounts you want to follow closely and create a feed displaying only that list.

TweetDeck column types

After you’ve created some columns, you should adjust their settings to ensure that what is coming across your feed is relevant to you. Within each column, there are multiple filters that can be used to limit tweets based on favorites, retweets, total interactions, and even the geo-location of the tweet. I’ve found it helpful to limit all my columns to a few retweets and favorites to ensure that my feed is not clogged with irrelevant tweets and spam.

For organization, you can drag columns and reorder them using the left-hand menu, or within each of the column’s settings using the arrows at the bottom. From here you can also clear old feeds or remove the column entirely.

TweetDeck search bar and filters

Advanced Searching with TweetDeck

As you continue to use TweetDeck, you will quickly become familiar with the many options to help limit or expand your searches outside of simple hashtags and accounts. When creating a search, using TweetDeck’s “searching language” can help to pinpoint exactly what you are looking to find. TweetDeck uses basic “AND” and “OR” operators, as well as parentheses for writing searches. You can also configure the minimum number of favorites and retweets with min_faves:# and min_retweets:#, respectively. There is also the option to exclude certain accounts or keywords using the “-” operator, such as “-FROM:TweetDeck”, to remove all tweets from the TweetDeck account. Below are some example searches to get started. For a full list of the Twitter search syntax, view the developer documentation.

Sample searches:

#Shodan Safari: (#shodan OR OR (#zoomeye OR OR ( AND -FROM:censysio)

#Sandbox Runs: OR

#Malware and Red Team: (#offsec OR #malware OR #redteam OR #pentest OR #hacking OR #bugbounty) AND (min_faves:5 OR min_retweets:5)

#Blue Team: (#DFIR OR “digital forensics” OR #ThreatHunting OR #blueteam OR #threatintel OR #threatintelligence) AND (min_faves:10 or min_retweets:5)

Closing Thoughts

From IoC hunting and monitoring lists of users to keeping an eye out for new CVEs, there are many ways to stay up to date on threats and malicious actors. You can even utilize TweetDeck to set up a temporary column to monitor active CVEs or threat campaign to stay on top of proof of concept (PoC) code when it becomes public. Regardless of how you employ it, TweetDeck has many beneficial applications to help you work smarter, not harder.