msticpy.transform.cmd_line module

cmd_line - Syslog Command processing module.

Contains a series of functions required to correct collect, parse and visualize linux syslog data.

Designed to support standard linux syslog for investigations where auditd is not available.

msticpy.transform.cmd_line.cmd_speed(cmd_events: DataFrame, cmd_field: str, time: int = 5, events: int = 10) list

Detect patterns of cmd_line activity whose speed of execution may be suspicious.

  • cmd_events (pd.DataFrame) – A DataFrame of all sudo events to check.

  • cmd_field (str) – The column of the event data that contains command line activity

  • time (int, optional) – Time window in seconds in which to evaluate speed of execution against (Defaults to 5)

  • events (int, optional) – Number of syslog command execution events in which to evaluate speed of execution against (Defaults to 10)


risky suspicious_actions – A list of commands that match a risky pattern

Return type



AttributeError – If cmd_field is not in supplied data set or TimeGenerated note datetime format

msticpy.transform.cmd_line.risky_cmd_line(events: DataFrame, log_type: str, detection_rules: Optional[str] = None, cmd_field: str = 'Command') dict

Detect patterns of risky commands in syslog messages.

Risky patterns are defined in a json format file.

  • events (pd.DataFrame) – A DataFrame of all syslog events potentially containing risky command line activity.

  • log_type (str) – The log type of the data included in events. Must correspond to a detection type in detection_rules file.

  • detection_rules (str, optional) – Path to json file containing patterns of risky activity to detect. (Defaults to msticpy/resources/cmd_line_rules.json)

  • cmd_field (str, optional;) – The column in the events dataset that contains the command lines to be analysed. (Defaults to “Command”)


risky actions – A dictionary of commands that match a risky pattern

Return type



MsticpyException – The provided dataset does not contain the cmd_field field