ikiril01 · May 4, 2023 17:43
diff --git a/vega_netflow.json b/vega_netflow.json
 {
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {"name": "$cx", "update": "width / 2"},
    {"name": "$cy", "update": "height / 2"},
    {
      "name": "$nodeRadius",
      "value": 8,
      "bind": {"input": "range", "min": 1, "max": 50, "step": 1}
    },
    { "name": "$nodeCharge", "value": -300,
      "bind": {"input": "range", "min": -500, "max": 5, "step": 1} },
    { "name": "$linkDistance", "value": 300,
      "bind": {"input": "range", "min": 5, "max": 500, "step": 1} },
    {"name": "$static", "value": true}
  ],
  "autosize": {"type":"pad"},
  "background": "white",
  "data": [
    {
      "name": "new_edges",
      "url": {
        "%context%": true,
        "%timefield%": "time_start",
        "index": "network_flow_summaries*",
        "body": {"size": 10000}
      },
      "format": {"property": "hits.hits"},
      "transform": [
        {
          "type": "formula",
          "as": "source",
          "expr": "datum['_source']['src_ip']"
        },
        {
          "type": "formula",
          "as": "target",
          "expr": "datum['_source']['dst_ip']"
        },
        {
          "type": "formula",
          "as": "target_port",
          "expr": "datum['_source']['dst_port']"
        },
        {
          "type": "project",
          "fields": [
            "source",
            "target",
            "target_port",
            "_source.protocol"
          ],
          "as": ["source", "target", "target_port", "proto"]
        }
      ]
    },
    {
      "name": "node-data",
      "source": "new_edges",
      "transform": [
        {"type": "fold", "fields": ["source", "target"]},
        {
          "type": "aggregate",
          "groupby": ["value"],
          "fields": ["conn_state"],
          "ops": ["values"]
        },
        {
          "type": "project",
          "fields": ["value", "values_conn_state"],
          "as": ["name", "conn_state"]
        },
        {"type": "identifier", "as": "index"},
        {"type": "formula", "as": "index", "expr": "datum['index'] - 1"},
        {
          "type": "formula",
          "as": "conn_state",
          "expr": "datum['conn_state'][0]['conn_state']"
        }
      ]
    },
    {
      "name": "link-data",
      "source": "new_edges",
      "transform": [
        {
          "type": "lookup",
          "from": "node-data",
          "key": "name",
          "fields": ["source", "target"],
          "as": ["source", "target"]
        },
        {"type": "formula", "as": "source", "expr": "datum['source']['index']"},
        {"type": "formula", "as": "target", "expr": "datum['target']['index']"}
      ]
    },
    {
      "name": "color_mapping",
      "values": [
        {"domain": "ssl", "range": "#3cb44b"},
        {"domain": "krb", "range": "#aaffc3"},
        {"domain": "kerberos", "range": "#aaffc4"},
        {"domain": "krb_tcp", "range": "#aaffc5"},
        {"domain": "gssapi", "range": "#469990"},
        {"domain": "smb", "range": "#fffac8"},
        {"domain": "dce_rpc", "range": "#ffe119"},
        {"domain": "ftp", "range": "#3b0075"},
        {"domain": "http", "range": "#000075"},
        {"domain": "dhcp", "range": "#4653d8"},
        {"domain": "dns", "range": "#42d4f4"},
        {"domain": "ntp", "range": "#dcb3ff"},
        {"domain": "default", "range": "#a9a9a9"},
        {"domain": "ntlm", "range": "#800000"},
        {"domain": "ssh", "range": "#fabed4"},
        {"domain": "rdp", "range": "#e6194B"},
        {"domain": "low_freq_default", "range": "#f032e6"},
        {"domain": "snmp", "range": "#f58231"},
        {"domain": "rdpeudp", "range": "#e6194C"},
        {"domain": "syslog", "range": "#a9a9a0"},
        {"domain": "socks", "range": "#f032e6"},
        {"domain": "xmpp", "range": "#f032e7"},
        {"domain": "smtp", "range": "#f032e8"},
        {"domain": "snmp", "range": "#D4F442"},
        {"domain": "sip", "range": "#277F92"},
        {"domain": "syslog", "range": "#a9a9a8"}
      ]
    }
  ],
  "scales": [
    {
      "name": "scale_color",
      "type": "ordinal",
      "domain": {"data": "color_mapping", "field": "domain"},
      "range": {"data": "color_mapping", "field": "range"}
    },
    {
      "name": "scale_shape",
      "type": "ordinal",
      "domain": {"data": "new_edges", "field": "proto", "sort": true},
      "range": ["circle"]
    }
  ],
  "legends": [
    { 
      "fill": "scale_shape",
      "orient": "top-left",
      "title": "Protocol",
      "encode": {
        "symbols": {
          "update": {
            "fill":
            {"signal": "indexof(domain('scale_color'), datum.label) < 0 ? 'grey' : scale('scale_color', datum.label)"},
            "stroke": {"value": "transparent"},
            "opacity": {"value": 0.7}}}
      }
    }
  ],
  "marks": [
    {
      "name": "nodes",
      "type": "symbol",
      "zindex": 1,
      "from": {"data": "node-data"},
          "encode": {
            "enter": {"fill": {"value": "black"}, "stroke": {"value": "white"}},
            "update": {
              "size": {"signal": "1.5 * $nodeRadius * $nodeRadius"},
              "cursor": {"value": "pointer"}
            }
          },
      "transform": [
        {
          "type": "force",
          "iterations": 110,
          "static": {"signal": "$static"},
          "signal": "force",
          "forces": [
            {"force": "center", "x": {"signal": "$cx"}, "y": {"signal": "$cy"}},
            {"force": "collide", "radius": {"signal": "$nodeRadius"}},
            {"force": "nbody", "strength": {"signal": "$nodeCharge"}},
            {
              "force": "link",
              "links": "link-data",
              "distance": {"signal": "$linkDistance"}
            }
          ]
        }
      ]
    },
    {
      "type": "path",
      "from": {"data": "link-data"},
      "interactive": false,
      "encode": {
        "update": {
          "stroke": {"signal": "indexof(domain('scale_color'), datum['proto']) < 0 ? 'grey' : scale('scale_color', datum['proto'])"},
          "strokeWidth": {"value": 2}
        }
      },
      "transform": [
        {
          "type": "linkpath",
          "require": {"signal": "force"},
          "shape": "line",
          "sourceX": "datum.source.x",
          "sourceY": "datum.source.y",
          "targetX": "datum.target.x",
          "targetY": "datum.target.y"
        }
      ]
    }
  ]
 }
	{
	"$schema": "https://vega.github.io/schema/vega/v5.json",
	"signals": [
	{"name": "$cx", "update": "width / 2"},
	{"name": "$cy", "update": "height / 2"},
	{
	"name": "$nodeRadius",
	"value": 8,
	"bind": {"input": "range", "min": 1, "max": 50, "step": 1}
	},
	{ "name": "$nodeCharge", "value": -300,
	"bind": {"input": "range", "min": -500, "max": 5, "step": 1} },
	{ "name": "$linkDistance", "value": 300,
	"bind": {"input": "range", "min": 5, "max": 500, "step": 1} },
	{"name": "$static", "value": true}
	],
	"autosize": {"type":"pad"},
	"background": "white",
	"data": [
	{
	"name": "new_edges",
	"url": {
	"%context%": true,
	"%timefield%": "time_start",
	"index": "network_flow_summaries*",
	"body": {"size": 10000}
	},
	"format": {"property": "hits.hits"},
	"transform": [
	{
	"type": "formula",
	"as": "source",
	"expr": "datum['_source']['src_ip']"
	},
	{
	"type": "formula",
	"as": "target",
	"expr": "datum['_source']['dst_ip']"
	},
	{
	"type": "formula",
	"as": "target_port",
	"expr": "datum['_source']['dst_port']"
	},
	{
	"type": "project",
	"fields": [
	"source",
	"target",
	"target_port",
	"_source.protocol"
	],
	"as": ["source", "target", "target_port", "proto"]
	}
	]
	},
	{
	"name": "node-data",
	"source": "new_edges",
	"transform": [
	{"type": "fold", "fields": ["source", "target"]},
	{
	"type": "aggregate",
	"groupby": ["value"],
	"fields": ["conn_state"],
	"ops": ["values"]
	},
	{
	"type": "project",
	"fields": ["value", "values_conn_state"],
	"as": ["name", "conn_state"]
	},
	{"type": "identifier", "as": "index"},
	{"type": "formula", "as": "index", "expr": "datum['index'] - 1"},
	{
	"type": "formula",
	"as": "conn_state",
	"expr": "datum['conn_state'][0]['conn_state']"
	}
	]
	},
	{
	"name": "link-data",
	"source": "new_edges",
	"transform": [
	{
	"type": "lookup",
	"from": "node-data",
	"key": "name",
	"fields": ["source", "target"],
	"as": ["source", "target"]
	},
	{"type": "formula", "as": "source", "expr": "datum['source']['index']"},
	{"type": "formula", "as": "target", "expr": "datum['target']['index']"}
	]
	},
	{
	"name": "color_mapping",
	"values": [
	{"domain": "ssl", "range": "#3cb44b"},
	{"domain": "krb", "range": "#aaffc3"},
	{"domain": "kerberos", "range": "#aaffc4"},
	{"domain": "krb_tcp", "range": "#aaffc5"},
	{"domain": "gssapi", "range": "#469990"},
	{"domain": "smb", "range": "#fffac8"},
	{"domain": "dce_rpc", "range": "#ffe119"},
	{"domain": "ftp", "range": "#3b0075"},
	{"domain": "http", "range": "#000075"},
	{"domain": "dhcp", "range": "#4653d8"},
	{"domain": "dns", "range": "#42d4f4"},
	{"domain": "ntp", "range": "#dcb3ff"},
	{"domain": "default", "range": "#a9a9a9"},
	{"domain": "ntlm", "range": "#800000"},
	{"domain": "ssh", "range": "#fabed4"},
	{"domain": "rdp", "range": "#e6194B"},
	{"domain": "low_freq_default", "range": "#f032e6"},
	{"domain": "snmp", "range": "#f58231"},
	{"domain": "rdpeudp", "range": "#e6194C"},
	{"domain": "syslog", "range": "#a9a9a0"},
	{"domain": "socks", "range": "#f032e6"},
	{"domain": "xmpp", "range": "#f032e7"},
	{"domain": "smtp", "range": "#f032e8"},
	{"domain": "snmp", "range": "#D4F442"},
	{"domain": "sip", "range": "#277F92"},
	{"domain": "syslog", "range": "#a9a9a8"}
	]
	}
	],
	"scales": [
	{
	"name": "scale_color",
	"type": "ordinal",
	"domain": {"data": "color_mapping", "field": "domain"},
	"range": {"data": "color_mapping", "field": "range"}
	},
	{
	"name": "scale_shape",
	"type": "ordinal",
	"domain": {"data": "new_edges", "field": "proto", "sort": true},
	"range": ["circle"]
	}
	],
	"legends": [
	{
	"fill": "scale_shape",
	"orient": "top-left",
	"title": "Protocol",
	"encode": {
	"symbols": {
	"update": {
	"fill":
	{"signal": "indexof(domain('scale_color'), datum.label) < 0 ? 'grey' : scale('scale_color', datum.label)"},
	"stroke": {"value": "transparent"},
	"opacity": {"value": 0.7}}}
	}
	}
	],
	"marks": [
	{
	"name": "nodes",
	"type": "symbol",
	"zindex": 1,
	"from": {"data": "node-data"},
	"encode": {
	"enter": {"fill": {"value": "black"}, "stroke": {"value": "white"}},
	"update": {
	"size": {"signal": "1.5 * $nodeRadius * $nodeRadius"},
	"cursor": {"value": "pointer"}
	}
	},
	"transform": [
	{
	"type": "force",
	"iterations": 110,
	"static": {"signal": "$static"},
	"signal": "force",
	"forces": [
	{"force": "center", "x": {"signal": "$cx"}, "y": {"signal": "$cy"}},
	{"force": "collide", "radius": {"signal": "$nodeRadius"}},
	{"force": "nbody", "strength": {"signal": "$nodeCharge"}},
	{
	"force": "link",
	"links": "link-data",
	"distance": {"signal": "$linkDistance"}
	}
	]
	}
	]
	},
	{
	"type": "path",
	"from": {"data": "link-data"},
	"interactive": false,
	"encode": {
	"update": {
	"stroke": {"signal": "indexof(domain('scale_color'), datum['proto']) < 0 ? 'grey' : scale('scale_color', datum['proto'])"},
	"strokeWidth": {"value": 2}
	}
	},
	"transform": [
	{
	"type": "linkpath",
	"require": {"signal": "force"},
	"shape": "line",
	"sourceX": "datum.source.x",
	"sourceY": "datum.source.y",
	"targetX": "datum.target.x",
	"targetY": "datum.target.y"
	}
	]
	}
	]
	}