msticpy.transform.proc_tree_build_winlx module

Process Tree builder for Windows security and Linux auditd events.

msticpy.transform.proc_tree_build_winlx.extract_process_tree(procs: DataFrame, schema: ProcSchema, debug: bool = False) → DataFrame

Build process trees from the process events.

Parameters:

procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred
debug (bool) – If True produces extra debugging output, by default False

Returns:

Process tree dataframe.

Return type:

pd.DataFrame