msticpy.transform.cmd_line module
cmd_line - Syslog Command processing module.
Contains a series of functions required to correct collect, parse and visualize linux syslog data.
Designed to support standard linux syslog for investigations where auditd is not available.
- msticpy.transform.cmd_line.cmd_speed(cmd_events: DataFrame, cmd_field: str, time: int = 5, events: int = 10) list
Detect patterns of cmd_line activity whose speed of execution may be suspicious.
- Parameters:
cmd_events (pd.DataFrame) – A DataFrame of all sudo events to check.
cmd_field (str) – The column of the event data that contains command line activity
time (int, optional) – Time window in seconds in which to evaluate speed of execution against (Defaults to 5)
events (int, optional) – Number of syslog command execution events in which to evaluate speed of execution against (Defaults to 10)
- Returns:
risky suspicious_actions – A list of commands that match a risky pattern
- Return type:
list
- Raises:
AttributeError – If cmd_field is not in supplied data set or TimeGenerated note datetime format
- msticpy.transform.cmd_line.risky_cmd_line(events: DataFrame, log_type: str, detection_rules: str | None = None, cmd_field: str = 'Command') dict
Detect patterns of risky commands in syslog messages.
Risky patterns are defined in a json format file.
- Parameters:
events (pd.DataFrame) – A DataFrame of all syslog events potentially containing risky command line activity.
log_type (str) – The log type of the data included in events. Must correspond to a detection type in detection_rules file.
detection_rules (str, optional) – Path to json file containing patterns of risky activity to detect. (Defaults to msticpy/resources/cmd_line_rules.json)
cmd_field (str, optional;) – The column in the events dataset that contains the command lines to be analysed. (Defaults to “Command”)
- Returns:
risky actions – A dictionary of commands that match a risky pattern
- Return type:
dict
- Raises:
MsticpyException – The provided dataset does not contain the cmd_field field