irt/gists
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

visidata: add replayable IOC showcase and usage docs

Browse Source 
Provide a sample dataset and cmdlog that exercise typed IOC enrichment while keeping heavy lookups scoped for practical throttled runs, and document how to run it.
This commit is contained in:
tobias
2026-02-21 23:10:51 +01:00
parent 84d912ac0a
commit 250999b0c6
3 changed files with 75 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
config/visidata/README.md
View File

@@ -20,6 +20,36 @@ On VisiData 3.3, `$VD_DIR` defaults to:
Plugins are installed into `$VD_DIR/plugins/` and imported via the top-level `plugins` package.
## Showcase Demo
This repo includes a self-contained sample dataset + command log to demonstrate the local IOC/IP features:
- `showcase_ioc.tsv` (sample IOC rows)
- `showcase_ioc.vdj` (replay file)
Run it interactively from this repo root:
```bash
vd --visidata-dir "$PWD" --config "$PWD/visidatarc" --play showcase_ioc.vdj
```
What it showcases:
- custom types: `IP`, `Domain`, `URL`, `Hash`
- IP membership expressions: `src_ip * network`
- URL parsing fields: `url.host`, `url.parts.path`, `url.domain`
- hash classification: `file_hash.kind`
- IP lookups: `src_ip.ipinfo.*`, `src_ip.asn.*`, `src_ip.geo.*`, `src_ip.country()`
- provider visibility: `src_ip.geo.source`, `src_ip.asn.source`, `domain.dns.source`
- domain/network intel: `domain.dns.*`, `domain.rdap.*`
- hash intel: `file_hash.mb.*` (MalwareBazaar)
- VirusTotal lookups: `src_ip.vt.*`, `file_hash.vt.*`, `domain.vt.*`, `url.vt.*`
- local plugin command: `tke-hidecol`
Lookup notes:
- VT columns require `options.tke_vt_api_key` (or `VT_API_KEY` / `VIRUSTOTAL_API_KEY` / `~/.virustotal_api_key`).
- IPInfo/ASN/Geo columns use free providers and may be rate-limited; `options.tke_ipinfo_token` improves reliability.
- To keep replays practical with strict throttling, some heavy lookup columns are intentionally limited to a subset of rows.
### `plugins/hidecol.py`
Adds a command to hide columns that are empty or constant across all rows.
@@ -121,4 +151,3 @@ Concretely:
- If you have legacy functions in `visidatarc` that overlap with the new IP lookups, refactor those functions into a shared module (e.g. `plugins/lookups.py`) and have both `visidatarc` and `plugins/iptype.py` call into it.
This keeps backward-compatible names available while ensuring caching/auth/provider behavior is implemented in one place.