Batch and Feeds

Batch from file

Batch mode automatically processes a list of IOCs:

# File format: one IOC per line
cat iocs.txt
185.220.101.34
evil-phishing.com
http://malware.host/payload.exe
d41d8cd98f00b204e9800998ecf8427e
8.8.8.8

# Analyze all (with 2s delay between each)
osint-agent --batch iocs.txt

# Limit to first 20
osint-agent --batch iocs.txt --limit 20

# JSON output (useful for scripting)
osint-agent --batch iocs.txt --json

# Save results
osint-agent --batch iocs.txt --json > results-$(date +%Y%m%d).json

Batch from live feeds

# 5 most recent C2 IPs from Feodo (botnets)
osint-agent --feed feodo --limit 5

# 3 malware URLs from URLhaus
osint-agent --feed urlhaus --limit 3

# 10 malicious IPs from IPsum
osint-agent --feed ipsum --limit 10

# C2 infrastructure from C2IntelFeeds
osint-agent --feed c2intel --limit 5

# With JSON output
osint-agent --feed feodo --limit 5 --json

Daily automation with cron

Analyze the most dangerous feeds every morning:

# crontab -e
0 7 * * * /path/to/.venv/bin/osint-agent --feed feodo --limit 10 --json \
    >> /var/log/osint/feodo-$(date +\%Y\%m\%d).json 2>&1

Scripting pipeline

#!/bin/bash
# Analyze feeds and alert if high-risk IOCs are found

osint-agent --feed feodo --limit 20 --json | jq -r '.[] |
    select(.risk_score >= 80) |
    "\(.ioc) - Score: \(.risk_score) - \(.assessment | .[0:100])"' \
    | while read -r line; do
        echo "[CRITICAL ALERT] $line"
        # Here you could send to Slack, PagerDuty, etc.
    done

SIEM integration

# Export in Splunk-compatible format
osint-agent --batch iocs.txt --json | jq '[.[] | {
    ioc: .ioc,
    type: .ioc_type,
    risk_score: .risk_score,
    risk_level: .risk_level,
    malicious: (.risk_score >= 60),
    timestamp: now | todate
}]'

Rate limit control

With large lists, adjust the delay to not exhaust quotas:

# For VirusTotal free tier (500 req/day, 4 req/min)
BATCH_DELAY_SECONDS=15 osint-agent --batch large-list.txt --limit 100

# For paid tiers
BATCH_DELAY_SECONDS=1 osint-agent --batch large-list.txt --limit 500

The 24h cache prevents re-analyzing IOCs you already investigated today.

Automatic deduplication

If your file has duplicate IOCs, batch processes them only once (second time reads from cache):

iocs.txt:
185.220.101.34    ← analyzes with API
8.8.8.8           ← analyzes with API
185.220.101.34    ← reads from cache (doesn't consume API quota)

Feeds: what to choose by use case

Use case	Recommended feed
Active botnets and C2	feodo, c2intel
Malware distribution	urlhaus
General malicious IPs	ipsum
Traffic trends	cloudflare
Maximum coverage	All with --limit 5 each