msticpy.transform.proc_tree_builder module
Process Tree Builder module for Process Tree Visualization.
- msticpy.transform.proc_tree_builder.build_proc_tree(input_tree, max_depth=-1)
Build process tree paths.
- Parameters:
input_tree (pd.DataFrame) – DataFrame containing process and parent key definitions
max_depth (int, optional) – Maximum depth to process the tree, by default -1 (no limit)
- Returns:
DataFrame with ordered paths for each process.
- Return type:
pd.DataFrame
- msticpy.transform.proc_tree_builder.build_process_tree(procs, schema=None, show_summary=False, debug=False, **kwargs)
Build process trees from the process events.
- Parameters:
procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
schema (ProcSchema | dict[str, Any] | None, optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred
show_summary (bool) – Shows summary of the built tree, default is False.
debug (bool) – If True produces extra debugging output, by default False
- Returns:
Process tree dataframe.
- Return type:
pd.DataFrame
See also
ProcSchema
- msticpy.transform.proc_tree_builder.infer_schema(data)
Infer the correct schema to use for this data set.
- Parameters:
data (pd.DataFrame | pd.Series) – Data set to test
- Returns:
The schema most closely matching the data set.
- Return type: