visidata: add replayable IOC showcase and usage docs
Provide a sample dataset and cmdlog that exercise typed IOC enrichment while keeping heavy lookups scoped for practical throttled runs, and document how to run it.
This commit is contained in:
tobias
37
config/visidata/showcase_ioc.vdj
Normal file
37
config/visidata/showcase_ioc.vdj
Normal file
@@ -0,0 +1,37 @@
|
||||
#!vd -p
|
||||
{"sheet": null, "col": null, "row": null, "longname": "open-file", "input": "showcase_ioc.tsv", "keystrokes": "o", "comment": "Open IOC showcase dataset"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set source IP column to custom IP type"}
|
||||
{"sheet": "showcase_ioc", "col": "dst_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set destination IP column to custom IP type"}
|
||||
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set network column to IP/CIDR type"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "type-domain", "input": "", "keystrokes": "", "comment": "Set domain column to Domain type"}
|
||||
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "type-url-ioc", "input": "", "keystrokes": "", "comment": "Set URL column to IOC URL type"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "type-hash", "input": "", "keystrokes": "", "comment": "Set hash column to IOC Hash type"}
|
||||
{"sheet": "showcase_ioc", "col": "constant", "row": "", "longname": "tke-hidecol", "input": "", "keystrokes": "", "comment": "Hide empty and superfluous source columns"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "src_ip * network", "keystrokes": "=", "comment": "IP membership operator on typed values"}
|
||||
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.host", "keystrokes": "=", "comment": "Extract parsed URL host via URL type"}
|
||||
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.domain", "keystrokes": "=", "comment": "Convert URL host into DomainValue"}
|
||||
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.parts.path", "keystrokes": "=", "comment": "Show parsed URL path"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "file_hash.kind", "keystrokes": "=", "comment": "Detect MD5/SHA1/SHA256 hash kind"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.country or ''", "keystrokes": "=", "comment": "IPInfo country (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.org or ''", "keystrokes": "=", "comment": "IPInfo org (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.asn or ''", "keystrokes": "=", "comment": "ASN lookup (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.name or ''", "keystrokes": "=", "comment": "ASN name lookup (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.country_code or ''", "keystrokes": "=", "comment": "GeoIP country code (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.city or ''", "keystrokes": "=", "comment": "GeoIP city (limited rows to keep demo fast)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal IP verdict (single row for rate-limited API)"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal hash verdict (single row for rate-limited API)"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal hash malicious count (single row)"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal domain verdict (single row)"}
|
||||
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and url and url.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal URL verdict (single row)"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.country() or ''", "keystrokes": "=", "comment": "Best country helper"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.source or ''", "keystrokes": "=", "comment": "Geo provider source"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.source or ''", "keystrokes": "=", "comment": "ASN provider source"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.category or ''", "keystrokes": "=", "comment": "VirusTotal IP category"}
|
||||
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal IP malicious count"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.dns.source or ''", "keystrokes": "=", "comment": "DNS lookup source"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.a) or ''", "keystrokes": "=", "comment": "DNS A records"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.mx) or ''", "keystrokes": "=", "comment": "DNS MX records"}
|
||||
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.rdap.objectClassName or ''", "keystrokes": "=", "comment": "RDAP object class"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.status or ''", "keystrokes": "=", "comment": "MalwareBazaar query status"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.signature or ''", "keystrokes": "=", "comment": "MalwareBazaar signature"}
|
||||
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and ','.join(file_hash.mb.tags) or ''", "keystrokes": "=", "comment": "MalwareBazaar tags"}
|
||||
Reference in New Issue
Block a user