#!vd -p
{"sheet": null, "col": null, "row": null, "longname": "open-file", "input": "showcase_ioc.tsv", "keystrokes": "o", "comment": "Open IOC showcase dataset"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set source IP column to custom IP type"}
{"sheet": "showcase_ioc", "col": "dst_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set destination IP column to custom IP type"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set network column to IP/CIDR type"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "type-domain", "input": "", "keystrokes": "", "comment": "Set domain column to Domain type"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "type-url-ioc", "input": "", "keystrokes": "", "comment": "Set URL column to IOC URL type"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "type-hash", "input": "", "keystrokes": "", "comment": "Set hash column to IOC Hash type"}
{"sheet": "showcase_ioc", "col": "constant", "row": "", "longname": "tke-hidecol", "input": "", "keystrokes": "", "comment": "Hide empty and superfluous source columns"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "src_ip * network", "keystrokes": "=", "comment": "IP membership operator on typed values"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.host", "keystrokes": "=", "comment": "Extract parsed URL host via URL type"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.domain", "keystrokes": "=", "comment": "Convert URL host into DomainValue"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.parts.path", "keystrokes": "=", "comment": "Show parsed URL path"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "file_hash.kind", "keystrokes": "=", "comment": "Detect MD5/SHA1/SHA256 hash kind"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "src_ip.type", "keystrokes": "=", "comment": "IP kind (ipv4/ipv6/cidr4/cidr6)"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.mask", "keystrokes": "=", "comment": "CIDR netmask"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.range", "keystrokes": "=", "comment": "CIDR full range"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.broadcast", "keystrokes": "=", "comment": "CIDR broadcast/last IP"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.identity", "keystrokes": "=", "comment": "CIDR network identity"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.hostcount", "keystrokes": "=", "comment": "CIDR hostcount"}
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "addcol-expr", "input": "network.rfc_type", "keystrokes": "=", "comment": "CIDR RFC classification"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.country or ''", "keystrokes": "=", "comment": "IPInfo country (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.org or ''", "keystrokes": "=", "comment": "IPInfo org (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.asn or ''", "keystrokes": "=", "comment": "ASN lookup (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.name or ''", "keystrokes": "=", "comment": "ASN name lookup (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.country_code or ''", "keystrokes": "=", "comment": "GeoIP country code (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.city or ''", "keystrokes": "=", "comment": "GeoIP city (limited rows to keep demo fast)"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal IP verdict (single row for rate-limited API)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal hash verdict (single row for rate-limited API)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal hash malicious count (single row)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.score or ''", "keystrokes": "=", "comment": "VirusTotal hash score (single row)"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.name or ''", "keystrokes": "=", "comment": "VirusTotal hash best malware name"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and ','.join(file_hash.vt.names) or ''", "keystrokes": "=", "comment": "VirusTotal hash all malware names"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal domain verdict (single row)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.ip or ''", "keystrokes": "=", "comment": "VirusTotal domain last known IP"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and ','.join(domain.vt.ips) or ''", "keystrokes": "=", "comment": "VirusTotal domain all known IPs"}
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and url and url.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal URL verdict (single row)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.resolveip or ''", "keystrokes": "=", "comment": "Resolve first IP (A then AAAA)"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveipv4]) or ''", "keystrokes": "=", "comment": "Resolve IPv4 addresses"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveipv6]) or ''", "keystrokes": "=", "comment": "Resolve IPv6 addresses"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join([str(x) for x in domain.resolveips]) or ''", "keystrokes": "=", "comment": "Resolve all IP addresses"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.country() or ''", "keystrokes": "=", "comment": "Best country helper"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.source or ''", "keystrokes": "=", "comment": "Geo provider source"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.source or ''", "keystrokes": "=", "comment": "ASN provider source"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.category or ''", "keystrokes": "=", "comment": "VirusTotal IP category"}
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal IP malicious count"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.dns.source or ''", "keystrokes": "=", "comment": "DNS lookup source"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.a) or ''", "keystrokes": "=", "comment": "DNS A records"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.mx) or ''", "keystrokes": "=", "comment": "DNS MX records"}
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.rdap.objectClassName or ''", "keystrokes": "=", "comment": "RDAP object class"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.status or ''", "keystrokes": "=", "comment": "MalwareBazaar query status"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.signature or ''", "keystrokes": "=", "comment": "MalwareBazaar signature"}
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and ','.join(file_hash.mb.tags) or ''", "keystrokes": "=", "comment": "MalwareBazaar tags"}