msticpy.analysis.observationlist module

Observation summary collector.

class msticpy.analysis.observationlist.Observation(caption: str, data: Any, description: str | None = None, data_type: str | None = None, link: str | None = None, score: int = 0, tags: List[str] = NOTHING, additional_properties: Dict[str, Any] = NOTHING, timestamp: datetime | None = None, time_span: TimeSpan | None = None, time_column: str | None = None, filter: str | None = None, schema: str | None = None)

Bases: object

Observation definition.

Notes

captionstr: The title and index of the observation. Must be unique in the observation set.
descriptionOptional[str]: Text description of the observation. (default is None)
dataAny: The data to be stored for the observation (e.g. a pandas DataFrame). The object should implement a useable __repr__ to display correctly.
data_typeOptional[str]: The data type of the data property
linkOptional[str]: Link (usually a document-local link) to the originating section of the notebook. (default is None)
scoreint: The risk score associated with the observation. (default is 0)
tagsList[str]: Optional list of tags.
additional_properties Dict[str, Any]: Additional properties not covered by core properties.

Method generated by attrs for class Observation.

additional_properties: Dict[str, Any]

classmethod all_fields() → Set[str]

Return all fields of Observation class.

Returns:: Set of all field names.
Return type:: Set[str]

caption: str

data: Any

data_type: str | None

description: str | None

display(): Display the observation.

filter: str | None

property filtered_data: Any: Apply filtering to data if it is a DataFrame.

link: str | None

classmethod required_fields() → List[str]

Return required fields for Observation instance.

Returns:: List of field names.
Return type:: List[str]

schema: str | None

score: int

tags: List[str]

time_column: str | None

time_span: TimeSpan | None

timestamp: datetime | None

class msticpy.analysis.observationlist.Observations(observationlist: Observations | None = None)

Bases: object

Class to collect and display investigation observations.

Create an observation list.

Parameters:: observationlist (Observations, optional) – Initialize from an existing Observations list (the default is None)

add_observation(observation: Observation | None = None, **kwargs)

Add an observation.

Add an observation as an Observation instance or as a set of keyword parameters (see Observation class for acceptable values). Any keyword parameters that are not properties of Observation will be stored in the Observation.additional_properties dictionary

Parameters:

observation (Observation) – An observation instance.
kwargs (str, Any) – List of key value pairs of the property names and values of the Observation to be stored.

display_observations(): Display the current observations using IPython.display.

property observations: Mapping[str, Observation]

Return the current list of Observations.

Returns:: The current ordered dictionary of Observations
Return type:: Mapping[str, Observation]