msticpy.vis.process_tree module

Process Tree Visualization.

class msticpy.vis.process_tree.ProcessTreeAccessor(*args, **kwargs)

Bases: object

Pandas api extension for Process Tree.

Deprecated since version 1.7.0: Will be removed in version 2.0.0

Instantiate pandas extension class.

build(schema: ProcSchema | None = None, **kwargs) DataFrame

Build process trees from the process events.

Parameters:

  • procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)

  • schema (ProcSchema, optional) – The column schema to use, by default None If None, then the schema is inferred

  • show_summary (bool) – Shows summary of the built tree, default is False. : bool

  • debug (bool) – If True produces extra debugging output, by default False

Returns:

Process tree dataframe.

Return type:

pd.DataFrame

Notes

It is not necessary to call this before plot. The process tree is built automatically. This is only needed if you want to return the processed tree data as a DataFrame

plot(**kwargs) Tuple[figure, bokeh.models.LayoutDOM]

Build and plot a process tree.

Parameters:

  • schema (ProcSchema, optional) – The data schema to use for the data set, by default None (if None the schema is inferred)

  • output_var (str, optional) – Output variable for selected items in the tree, by default None

  • legend_col (str, optional) – The column used to color the tree items, by default None

  • show_table (bool) – Set to True to show a data table, by default False.

  • height (int, optional) – The height of the plot figure (the default is 700)

  • width (int, optional) – The width of the plot figure (the default is 900)

  • title (str, optional) – Title to display (the default is None)

  • hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.

  • pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.

Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

class msticpy.vis.process_tree.TreeResult(proc_tree: DataFrame, schema: ProcSchema | None, levels: ndarray | None, n_rows: int)

Bases: NamedTuple

Result tuple for _pre_process_tree.

Create new instance of TreeResult(proc_tree, schema, levels, n_rows)

count(value, /)

Return number of occurrences of value.

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

levels: ndarray | None

Alias for field number 2

n_rows: int

Alias for field number 3

proc_tree: DataFrame

Alias for field number 0

schema: ProcSchema | None

Alias for field number 1

msticpy.vis.process_tree.build_and_show_process_tree(data: DataFrame, schema: ProcSchema | Dict[str, Any] | None = None, output_var: str | None = None, legend_col: str | None = None, **kwargs) Tuple[figure, bokeh.models.LayoutDOM]

Build process tree from data and plot a tree.

Parameters:

  • data (pd.DataFrame) – Window process creation or Linux Auditd events

  • schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred

  • output_var (str, optional) – Output variable for selected items in the tree, by default None

  • legend_col (str, optional) – The column used to color the tree items, by default None

  • kwargs (Dict[str, Any]) – Additional arguments passed to plot_process_tree

  • height (int, optional) – The height of the plot figure (the default is 700)

  • width (int, optional) – The width of the plot figure (the default is 900)

  • title (str, optional) – Title to display (the default is None)

  • hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.

  • pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.

Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

Notes

For full parameter set for process tree display see the help for plot_process_tree.

See also

plot_process_tree

msticpy.vis.process_tree.plot_process_tree(data: DataFrame, schema: ProcSchema | Dict[str, Any] | None = None, output_var: str | None = None, legend_col: str | None = None, show_table: bool = False, **kwargs) Tuple[figure, bokeh.models.LayoutDOM]

Plot a Process Tree Visualization.

Parameters:

  • data (pd.DataFrame) – DataFrame containing one or more Process Trees

  • schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred

  • output_var (str, optional) – Output variable for selected items in the tree, by default None

  • legend_col (str, optional) – The column used to color the tree items, by default None

  • show_table (bool) – Set to True to show a data table, by default False.

  • height (int, optional) – The height of the plot figure (the default is 700)

  • width (int, optional) – The width of the plot figure (the default is 900)

  • title (str, optional) – Title to display (the default is None)

  • hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.

  • pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.

Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

Raises:

ProcessTreeSchemaException – If the data set schema is not valid for the plot.

Notes

The output_var variable will be overwritten with any selected values.