250999b0c6
Provide a sample dataset and cmdlog that exercise typed IOC enrichment while keeping heavy lookups scoped for practical throttled runs, and document how to run it.
38 lines
7.3 KiB
Plaintext
38 lines
7.3 KiB
Plaintext
#!vd -p
|
|
{"sheet": null, "col": null, "row": null, "longname": "open-file", "input": "showcase_ioc.tsv", "keystrokes": "o", "comment": "Open IOC showcase dataset"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set source IP column to custom IP type"}
|
|
{"sheet": "showcase_ioc", "col": "dst_ip", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set destination IP column to custom IP type"}
|
|
{"sheet": "showcase_ioc", "col": "network", "row": "", "longname": "type-ip", "input": "", "keystrokes": "", "comment": "Set network column to IP/CIDR type"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "type-domain", "input": "", "keystrokes": "", "comment": "Set domain column to Domain type"}
|
|
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "type-url-ioc", "input": "", "keystrokes": "", "comment": "Set URL column to IOC URL type"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "type-hash", "input": "", "keystrokes": "", "comment": "Set hash column to IOC Hash type"}
|
|
{"sheet": "showcase_ioc", "col": "constant", "row": "", "longname": "tke-hidecol", "input": "", "keystrokes": "", "comment": "Hide empty and superfluous source columns"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "src_ip * network", "keystrokes": "=", "comment": "IP membership operator on typed values"}
|
|
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.host", "keystrokes": "=", "comment": "Extract parsed URL host via URL type"}
|
|
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.domain", "keystrokes": "=", "comment": "Convert URL host into DomainValue"}
|
|
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "url.parts.path", "keystrokes": "=", "comment": "Show parsed URL path"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "file_hash.kind", "keystrokes": "=", "comment": "Detect MD5/SHA1/SHA256 hash kind"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.country or ''", "keystrokes": "=", "comment": "IPInfo country (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.ipinfo.org or ''", "keystrokes": "=", "comment": "IPInfo org (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.asn or ''", "keystrokes": "=", "comment": "ASN lookup (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.name or ''", "keystrokes": "=", "comment": "ASN name lookup (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.country_code or ''", "keystrokes": "=", "comment": "GeoIP country code (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.city or ''", "keystrokes": "=", "comment": "GeoIP city (limited rows to keep demo fast)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal IP verdict (single row for rate-limited API)"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal hash verdict (single row for rate-limited API)"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal hash malicious count (single row)"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and domain and domain.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal domain verdict (single row)"}
|
|
{"sheet": "showcase_ioc", "col": "url", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and url and url.vt.verdict or ''", "keystrokes": "=", "comment": "VirusTotal URL verdict (single row)"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.country() or ''", "keystrokes": "=", "comment": "Best country helper"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.geo.source or ''", "keystrokes": "=", "comment": "Geo provider source"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and src_ip and src_ip.asn.source or ''", "keystrokes": "=", "comment": "ASN provider source"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.category or ''", "keystrokes": "=", "comment": "VirusTotal IP category"}
|
|
{"sheet": "showcase_ioc", "col": "src_ip", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and src_ip and src_ip.vt.malicious or ''", "keystrokes": "=", "comment": "VirusTotal IP malicious count"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.dns.source or ''", "keystrokes": "=", "comment": "DNS lookup source"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.a) or ''", "keystrokes": "=", "comment": "DNS A records"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and ','.join(domain.dns.mx) or ''", "keystrokes": "=", "comment": "DNS MX records"}
|
|
{"sheet": "showcase_ioc", "col": "domain", "row": "", "longname": "addcol-expr", "input": "event_id in ('evt-001','evt-002') and domain and domain.rdap.objectClassName or ''", "keystrokes": "=", "comment": "RDAP object class"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.status or ''", "keystrokes": "=", "comment": "MalwareBazaar query status"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and file_hash.mb.signature or ''", "keystrokes": "=", "comment": "MalwareBazaar signature"}
|
|
{"sheet": "showcase_ioc", "col": "file_hash", "row": "", "longname": "addcol-expr", "input": "event_id == 'evt-001' and file_hash and ','.join(file_hash.mb.tags) or ''", "keystrokes": "=", "comment": "MalwareBazaar tags"}
|