[GH-ISSUE #76] [Feature Request] Automated Campaign Monitoring: Periodic Node Expansion & Webhook Alerts #339

New Issue

GiteaMirror · 2026-04-16T02:11:13-05:00

GiteaMirror commented

2026-04-16 02:11:13 -05:00

Originally created by @Twi1ight on GitHub (Nov 20, 2025).
Original GitHub issue: https://github.com/reconurge/flowsint/issues/76

Currently, FlowSINT is excellent for interactive investigations, but it lacks a mechanism for long-term monitoring of threat actor groups (or "gangs").

In many OSINT scenarios, an analyst identifies a cluster of nodes (e.g., specific emails, IP addresses, or domains) associated with a threat group. The analyst needs to periodically re-scan these nodes to detect new infrastructure or associations (e.g., a new domain registered by a known email). Doing this manually is repetitive and prone to error.

Describe the solution you'd like

I propose a new "Campaign/Group Monitoring" module. This feature would allow users to select a set of nodes and configure automated, periodic expansion tasks.

Key Functionality Requirements:

Group Management:
- Ability to group specific nodes into a "Campaign" or "Monitor Set."
Scheduled Expansion (Auto-Pivot):
- Allow users to select specific investigation methods/transforms (e.g., Reverse Whois, Passive DNS) to run on this group.
- Configurable schedule (e.g., Run every 12 hours, Daily, Weekly).
Diff Engine & New Findings:
- The system should compare the new results against historical data.
- It should identify only the newly discovered nodes (deltas).
Notification & Integration:
- Webhooks: If new nodes/associations are found, send a JSON payload to a configured Webhook URL (e.g., for Slack/Discord/Telegram alerts).
- Flow Trigger: Ideally, the discovery of a new node could automatically trigger a secondary FlowSINT workflow for deeper analysis.

Originally created by @Twi1ight on GitHub (Nov 20, 2025). Original GitHub issue: https://github.com/reconurge/flowsint/issues/76 Currently, FlowSINT is excellent for interactive investigations, but it lacks a mechanism for long-term **monitoring of threat actor groups (or "gangs")**. In many OSINT scenarios, an analyst identifies a cluster of nodes (e.g., specific emails, IP addresses, or domains) associated with a threat group. The analyst needs to periodically re-scan these nodes to detect new infrastructure or associations (e.g., a new domain registered by a known email). Doing this manually is repetitive and prone to error. ### Describe the solution you'd like I propose a new **"Campaign/Group Monitoring"** module. This feature would allow users to select a set of nodes and configure automated, periodic expansion tasks. **Key Functionality Requirements:** 1. **Group Management:** * Ability to group specific nodes into a "Campaign" or "Monitor Set." 2. **Scheduled Expansion (Auto-Pivot):** * Allow users to select specific investigation methods/transforms (e.g., `Reverse Whois`, `Passive DNS`) to run on this group. * Configurable schedule (e.g., Run every 12 hours, Daily, Weekly). 3. **Diff Engine & New Findings:** * The system should compare the new results against historical data. * It should identify **only the newly discovered nodes** (deltas). 4. **Notification & Integration:** * **Webhooks:** If new nodes/associations are found, send a JSON payload to a configured Webhook URL (e.g., for Slack/Discord/Telegram alerts). * **Flow Trigger:** Ideally, the discovery of a new node could automatically trigger a secondary FlowSINT workflow for deeper analysis.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/flowsint#339