Skip to content

Instantly share code, notes, and snippets.

@ikiril01

ikiril01/vega_netflow.json

Created May 4, 2023 17:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ikiril01/879824713431ea1a7c4c1bfa51881afa to your computer and use it in GitHub Desktop.
Save ikiril01/879824713431ea1a7c4c1bfa51881afa to your computer and use it in GitHub Desktop.
Download ZIP
Vega Netflow Directed Graph
Raw
vega_netflow.json
{
"$schema": "https://vega.github.io/schema/vega/v5.json",
"signals": [
{"name": "$cx", "update": "width / 2"},
{"name": "$cy", "update": "height / 2"},
{
"name": "$nodeRadius",
"value": 8,
"bind": {"input": "range", "min": 1, "max": 50, "step": 1}
},
{ "name": "$nodeCharge", "value": -300,
"bind": {"input": "range", "min": -500, "max": 5, "step": 1} },
{ "name": "$linkDistance", "value": 300,
"bind": {"input": "range", "min": 5, "max": 500, "step": 1} },
{"name": "$static", "value": true}
],
"autosize": {"type":"pad"},
"background": "white",
"data": [
{
"name": "new_edges",
"url": {
"%context%": true,
"%timefield%": "time_start",
"index": "network_flow_summaries*",
"body": {"size": 10000}
},
"format": {"property": "hits.hits"},
"transform": [
{
"type": "formula",
"as": "source",
"expr": "datum['_source']['src_ip']"
},
{
"type": "formula",
"as": "target",
"expr": "datum['_source']['dst_ip']"
},
{
"type": "formula",
"as": "target_port",
"expr": "datum['_source']['dst_port']"
},
{
"type": "project",
"fields": [
"source",
"target",
"target_port",
"_source.protocol"
],
"as": ["source", "target", "target_port", "proto"]
}
]
},
{
"name": "node-data",
"source": "new_edges",
"transform": [
{"type": "fold", "fields": ["source", "target"]},
{
"type": "aggregate",
"groupby": ["value"],
"fields": ["conn_state"],
"ops": ["values"]
},
{
"type": "project",
"fields": ["value", "values_conn_state"],
"as": ["name", "conn_state"]
},
{"type": "identifier", "as": "index"},
{"type": "formula", "as": "index", "expr": "datum['index'] - 1"},
{
"type": "formula",
"as": "conn_state",
"expr": "datum['conn_state'][0]['conn_state']"
}
]
},
{
"name": "link-data",
"source": "new_edges",
"transform": [
{
"type": "lookup",
"from": "node-data",
"key": "name",
"fields": ["source", "target"],
"as": ["source", "target"]
},
{"type": "formula", "as": "source", "expr": "datum['source']['index']"},
{"type": "formula", "as": "target", "expr": "datum['target']['index']"}
]
},
{
"name": "color_mapping",
"values": [
{"domain": "ssl", "range": "#3cb44b"},
{"domain": "krb", "range": "#aaffc3"},
{"domain": "kerberos", "range": "#aaffc4"},
{"domain": "krb_tcp", "range": "#aaffc5"},
{"domain": "gssapi", "range": "#469990"},
{"domain": "smb", "range": "#fffac8"},
{"domain": "dce_rpc", "range": "#ffe119"},
{"domain": "ftp", "range": "#3b0075"},
{"domain": "http", "range": "#000075"},
{"domain": "dhcp", "range": "#4653d8"},
{"domain": "dns", "range": "#42d4f4"},
{"domain": "ntp", "range": "#dcb3ff"},
{"domain": "default", "range": "#a9a9a9"},
{"domain": "ntlm", "range": "#800000"},
{"domain": "ssh", "range": "#fabed4"},
{"domain": "rdp", "range": "#e6194B"},
{"domain": "low_freq_default", "range": "#f032e6"},
{"domain": "snmp", "range": "#f58231"},
{"domain": "rdpeudp", "range": "#e6194C"},
{"domain": "syslog", "range": "#a9a9a0"},
{"domain": "socks", "range": "#f032e6"},
{"domain": "xmpp", "range": "#f032e7"},
{"domain": "smtp", "range": "#f032e8"},
{"domain": "snmp", "range": "#D4F442"},
{"domain": "sip", "range": "#277F92"},
{"domain": "syslog", "range": "#a9a9a8"}
]
}
],
"scales": [
{
"name": "scale_color",
"type": "ordinal",
"domain": {"data": "color_mapping", "field": "domain"},
"range": {"data": "color_mapping", "field": "range"}
},
{
"name": "scale_shape",
"type": "ordinal",
"domain": {"data": "new_edges", "field": "proto", "sort": true},
"range": ["circle"]
}
],
"legends": [
{
"fill": "scale_shape",
"orient": "top-left",
"title": "Protocol",
"encode": {
"symbols": {
"update": {
"fill":
{"signal": "indexof(domain('scale_color'), datum.label) < 0 ? 'grey' : scale('scale_color', datum.label)"},
"stroke": {"value": "transparent"},
"opacity": {"value": 0.7}}}
}
}
],
"marks": [
{
"name": "nodes",
"type": "symbol",
"zindex": 1,
"from": {"data": "node-data"},
"encode": {
"enter": {"fill": {"value": "black"}, "stroke": {"value": "white"}},
"update": {
"size": {"signal": "1.5 * $nodeRadius * $nodeRadius"},
"cursor": {"value": "pointer"}
}
},
"transform": [
{
"type": "force",
"iterations": 110,
"static": {"signal": "$static"},
"signal": "force",
"forces": [
{"force": "center", "x": {"signal": "$cx"}, "y": {"signal": "$cy"}},
{"force": "collide", "radius": {"signal": "$nodeRadius"}},
{"force": "nbody", "strength": {"signal": "$nodeCharge"}},
{
"force": "link",
"links": "link-data",
"distance": {"signal": "$linkDistance"}
}
]
}
]
},
{
"type": "path",
"from": {"data": "link-data"},
"interactive": false,
"encode": {
"update": {
"stroke": {"signal": "indexof(domain('scale_color'), datum['proto']) < 0 ? 'grey' : scale('scale_color', datum['proto'])"},
"strokeWidth": {"value": 2}
}
},
"transform": [
{
"type": "linkpath",
"require": {"signal": "force"},
"shape": "line",
"sourceX": "datum.source.x",
"sourceY": "datum.source.y",
"targetX": "datum.target.x",
"targetY": "datum.target.y"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment