OSINT Platforms

Purpose and Scope

Open source threat intelligence (OSINT) platforms aggregate data from public sources to help analysts identify malicious infrastructure, enrich indicators, and understand attacker tradecraft. This playbook covers how to effectively use OSINT platforms in SOC workflows.

Prerequisites

• Platform accounts: Free or paid accounts on key OSINT platforms
• API access: API keys for automation and integration
• SIEM or SOAR: Platform to ingest and correlate OSINT data
• Investigation context: Indicators to research (IPs, domains, hashes, URLs)

Key OSINT Platforms

VirusTotal

Multi scanner aggregation for files, URLs, domains, and IPs:

• File hash lookups against 70+ antivirus engines
• URL and domain reputation
• Behavioral analysis from sandboxes
• Relationship graphs showing infrastructure connections

AlienVault OTX

Community driven threat intelligence sharing:

• Pulses containing IOCs and context
• Community contributed threat data
• Integration with security tools
• Free API access

urlscan.io

Website scanning and analysis:

• Live screenshots of web pages
• DOM and network request analysis
• Technology detection
• Historical scan data

Shodan

Internet wide scanning and device discovery:

• Open ports and services
• Banner grabbing and version detection
• Historical data on IP addresses
• Vulnerability correlation

Censys

Internet asset discovery and monitoring:

• Certificate transparency logs
• Host and service enumeration
• Attack surface discovery

MISP

Open source threat intelligence platform:

• Structured threat data sharing
• Event and attribute correlation
• Integration with SIEMs and security tools
• Community and private sharing groups

Investigation Workflow

1. Identify Indicators

Extract indicators from alerts, logs, or reports:

• IP addresses (source and destination)
• Domain names and URLs
• File hashes (MD5, SHA1, SHA256)
• Email addresses and sender domains

2. Query Multiple Platforms

Check indicators across several sources:

• No single platform has complete coverage
• Cross reference results for confidence
• Note discrepancies between sources
• Consider recency of data

3. Analyze Context

Look beyond simple reputation scores:

• When was the indicator first and last seen?
• What campaigns or threat actors are associated?
• What related infrastructure exists?
• Is there behavioral or sandbox data?

4. Pivot and Expand

Use relationships to discover additional indicators:

• Domains hosted on the same IP
• Files that contacted the domain
• Similar samples by behavior or structure
• Registration patterns and WHOIS data

5. Document Findings

• Record sources and timestamps
• Note confidence levels
• Link related indicators
• Preserve evidence for reports

Automation and Integration

API Integration

Automate lookups in your workflow:

• Enrich alerts automatically with TI data
• Query APIs from SOAR playbooks
• Build dashboards with aggregated results
• Respect rate limits to avoid blocking

Feed Ingestion

Import threat feeds into your SIEM:

• Configure feed sources (STIX/TAXII, CSV, JSON)
• Set retention and refresh intervals
• Weight indicators by source confidence
• Correlate with internal telemetry

Validation and False Positives

• Reputation can be stale or incorrect
• Shared hosting may cause legitimate domains to appear malicious
• Dynamic IPs may change ownership
• Validate with multiple sources before taking action
• Consider age of intelligence data

Escalation Guidance

Escalate when OSINT reveals:

• Indicators linked to known APT groups
• Active C2 infrastructure in your environment
• Malware associated with ransomware or data theft
• Infrastructure specifically targeting your industry

Best Practices

• Use multiple sources: No platform has complete visibility
• Check freshness: Threat data ages quickly
• Understand scoring: Know what reputation scores mean
• Contribute back: Share indicators with the community when appropriate
• Automate enrichment: Build OSINT into your triage workflow
• Respect privacy: Do not query sensitive internal data on public platforms

References

• VirusTotal: virustotal.com
• AlienVault OTX: otx.alienvault.com
• urlscan.io: urlscan.io
• Shodan: shodan.io
• MISP Project: misp-project.org
• MITRE ATT&CK: attack.mitre.org