Reasoning
most coordinated abuse/spam involves multiple entities working together (botnets, affiliate networks, spam rings). Current Osprey requires manual correlation, making large network investigations slow and error-prone. Streamlining relationship discovery would significantly improve investigator efficiency for complex, multi-entity cases.
Current behavior
Osprey provides basic drill-down investigation capabilities in the UI:
- Entity navigation: Click on entities (User IDs, IPs, etc.) and use keyboard shortcuts (⌘/◇ + click) to add them to the current query or open in a new tab
- Multi-hop traversal is possible through manual query building (User → click IP → add to query → see other Users)
- Entity View shows single-entity deep dive with labels, event counts by feature, and time series
- Feature filters allow filtering entity events by specific attributes
Limitations:
- No visual relationship graph: Multi-hop connections require manual navigation through multiple queries
- Tedious multi-entity investigation: Building complex relationship chains requires repeatedly clicking, adding to queries, and manually comparing results
- No aggregated relationship context: Can't easily see "this User is connected to 5 IPs that each have 10+ flagged users" without manually exploring each path
- No saved investigation workflows: Complex traversal paths can't be saved/replayed for similar cases
- No visual network view: Hard to understand the full scope of a coordinated abuse network visually
Desired behavior
Enable enhanced drill-down capabilities for complex cases to support:
Interactive entity relationship graphs discoverable through UI without code changes
- Interactive entity relationship graph/network visualization showing multi-hop connections at a glance
- Automatic relationship suggestions (e.g., "Show me all Users on this IP" without manually querying)
- Aggregated risk scoring across relationship chains (e.g., "this User is connected to 3 IPs with avg risk score of 8.2")
- Saved investigation patterns for recurring network types (bot rings, affiliate networks, etc.)
- One-click drill-down through relationship types without manual query building
Reasoning
most coordinated abuse/spam involves multiple entities working together (botnets, affiliate networks, spam rings). Current Osprey requires manual correlation, making large network investigations slow and error-prone. Streamlining relationship discovery would significantly improve investigator efficiency for complex, multi-entity cases.
Current behavior
Osprey provides basic drill-down investigation capabilities in the UI:
Limitations:
Desired behavior
Enable enhanced drill-down capabilities for complex cases to support:
Interactive entity relationship graphs discoverable through UI without code changes