irt/gists
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

visidata: enhance IOC plugins with improved lookups and validation

Browse Source 
Expand iplib, iptype, and ioc plugins with better caching, throttling,
and lookup logic. Update validation script and showcase journal accordingly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-07 22:49:49 +01:00
parent 559fa38c04
commit 49db614262
6 changed files with 608 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
config/visidata/showcase_ioc.vdj
View File

@@ -12,6 +12,13 @@
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.domain", "keystrokes": "=", "comment": "Convert URL host into DomainValue"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.parts.path", "keystrokes": "=", "comment": "Show parsed URL path"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "file_hash.kind", "keystrokes": "=", "comment": "Detect MD5/SHA1/SHA256 hash kind"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "src_ip.type", "keystrokes": "=", "comment": "IP kind (ipv4/ipv6/cidr4/cidr6)"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.mask", "keystrokes": "=", "comment": "CIDR netmask"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.range", "keystrokes": "=", "comment": "CIDR full range"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.broadcast", "keystrokes": "=", "comment": "CIDR broadcast/last IP"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.identity", "keystrokes": "=", "comment": "CIDR network identity"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.hostcount", "keystrokes": "=", "comment": "CIDR hostcount"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.rfc_type", "keystrokes": "=", "comment": "CIDR RFC classification"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.country or ''", "keystrokes": "=", "comment": "IPInfo country (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.org or ''", "keystrokes": "=", "comment": "IPInfo org (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.asn or ''", "keystrokes": "=", "comment": "ASN lookup (limited rows to keep demo fast)"}
@@ -21,8 +28,17 @@
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal IP verdict (single row for rate-limited API)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal hash verdict (single row for rate-limited API)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal hash malicious count (single row)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.score or ''", "keystrokes": "=", "comment": "VirusTotal hash score (single row)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.name or ''", "keystrokes": "=", "comment": "VirusTotal hash best malware name"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and ','.join(file_hash.vt.names) or ''", "keystrokes": "=", "comment": "VirusTotal hash all malware names"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal domain verdict (single row)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.ip or ''", "keystrokes": "=", "comment": "VirusTotal domain last known IP"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and ','.join(domain.vt.ips) or ''", "keystrokes": "=", "comment": "VirusTotal domain all known IPs"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and url and url.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal URL verdict (single row)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.resolveip or ''", "keystrokes": "=", "comment": "Resolve first IP (A then AAAA)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveipv4]) or ''", "keystrokes": "=", "comment": "Resolve IPv4 addresses"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveipv6]) or ''", "keystrokes": "=", "comment": "Resolve IPv6 addresses"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveips]) or ''", "keystrokes": "=", "comment": "Resolve all IP addresses"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.country() or ''", "keystrokes": "=", "comment": "Best country helper"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.source or ''", "keystrokes": "=", "comment": "Geo provider source"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.source or ''", "keystrokes": "=", "comment": "ASN provider source"}