msticpy.analysis.anomalous_sequence.utils.data_structures module

Useful helper data structure classes for modelling sessions.

class msticpy.analysis.anomalous_sequence.utils.data_structures.Cmd(name: str, params: set | dict)

Bases: object

Class to store commands with accompanying params (and optionally values).

Instantiate the Cmd class.

Parameters:

• name (str) – name of the command. e.g. for Exchange online: “Set-Mailbox”

• params (Union[set, dict]) –

  set of accompanying params or dict of accompanying params and values. e.g.:

  {'Identity', 'ForwardingEmailAddress'}
  

  or:

  {'Identity': 'some identity', 'ForwardingEmailAddress':
   'an_email@email.com'}
  

class msticpy.analysis.anomalous_sequence.utils.data_structures.StateMatrix(states: dict | defaultdict, unk_token: str)

Bases: dict

Class for storing trained counts/probabilities.

Containr for dict of counts/probs or dict of dicts of cond counts/probs.

If you try and retrieve the count/probability for an unseen command/param/value from the resulting object, it will return the value associated with the unk_token key.

Parameters:

• states (Union[dict, defaultdict]) –

  Either a dict representing counts or probabilities. Or a dict of dicts representing conditional counts or conditional probabilities. E.g.:

  {'Set-Mailbox': 20,'##UNK##': 1}
  

  or:

  {'Set-Mailbox': {'Set-Mailbox': 5, '##UNK##': 1},
  '##UNK##': {'Set-Mailbox': 1, '##UNK##': 1}}
  

• unk_token (str) – dummy token to signify an unseen command (e.g. “##UNK##”). This token should be present in the states keys. And if states is a dict of dicts, then the unk_token should be present in the keys of the outer dict and all the inner dicts.

clear() → None.  Remove all items from D.

copy() → a shallow copy of D

fromkeys(value=None, /)

Create a new dictionary with keys from iterable and values set to value.

get(key, default=None, /)

Return the value for key if key is in the dictionary, else default.

items() → a set-like object providing a view on D's items

keys() → a set-like object providing a view on D's keys

pop(k[, d]) → v, remove specified key and return the corresponding value.

If key is not found, default is returned if given, otherwise KeyError is raised

popitem()

Remove and return a (key, value) pair as a 2-tuple.

Pairs are returned in LIFO (last-in, first-out) order. Raises KeyError if the dict is empty.

setdefault(key, default=None, /)

Insert key with a value of default if key is not in the dictionary.

Return the value for key if key is in the dictionary, else default.

update([E, ]**F) → None.  Update D from dict/iterable E and F.

If E is present and has a .keys() method, then does: for k in E: D[k] = E[k] If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v In either case, this is followed by: for k in F: D[k] = F[k]

values() → an object providing a view on D's values