msticpy.transform.proc_tree_builder module
Process Tree Builder module for Process Tree Visualization.
- msticpy.transform.proc_tree_builder.build_proc_tree(input_tree: DataFrame, max_depth: int = -1) DataFrame
Build process tree paths.
- Parameters:
input_tree (pd.DataFrame) – DataFrame containing process and parent key definitions
max_depth (int, optional) – Maximum depth to process the tree, by default -1 (no limit)
- Returns:
DataFrame with ordered paths for each process.
- Return type:
pd.DataFrame
- msticpy.transform.proc_tree_builder.build_process_tree(procs: DataFrame, schema: ProcSchema | Dict[str, Any] | None = None, show_summary: bool = False, debug: bool = False, **kwargs) DataFrame
Build process trees from the process events.
- Parameters:
procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred
show_summary (bool) – Shows summary of the built tree, default is False.
debug (bool) – If True produces extra debugging output, by default False
- Returns:
Process tree dataframe.
- Return type:
pd.DataFrame
See also
ProcSchema
- msticpy.transform.proc_tree_builder.infer_schema(data: DataFrame | Series) ProcSchema | None
Infer the correct schema to use for this data set.
- Parameters:
data (Union[pd.DataFrame, pd.Series]) – Data set to test
- Returns:
The schema most closely matching the data set.
- Return type: