msticpy.nbtools package

Submodules

msticpy.nbtools.foliummap module

Folium map class.

class msticpy.nbtools.foliummap.FoliumMap(title: str = 'layer1', zoom_start: float = 2.5, tiles=None, width: str = '100%', height: str = '100%', location: list = None)

Bases: object

Wrapper class for Folium/Leaflet mapping.

Create an instance of the folium map.

Parameters:
  • title (str, optional) – Name of the layer (the default is ‘layer1’)
  • zoom_start (int, optional) – The zoom level of the map (the default is 7)
  • tiles ([type], optional) – Custom set of tiles or tile URL (the default is None)
  • width (str, optional) – Map display width (the default is ‘100%’)
  • height (str, optional) – Map display height (the default is ‘100%’)
  • location (list, optional) – Location to center map on
folium_map

The map object.

Type:folium.Map
add_geoloc_cluster(geo_locations: Iterable[msticpy.nbtools.entityschema.GeoLocation], **kwargs)

Add a collection of GeoLocation objects to the map.

Parameters:geo_locations (Iterable[GeoLocation]) – Iterable of GeoLocation entities.
add_ip_cluster(ip_entities: Iterable[msticpy.nbtools.entityschema.IpAddress], **kwargs)

Add a collection of IP Entities to the map.

Parameters:ip_entities (Iterable[IpAddress]) – a iterable of IpAddress Entities
Other Parameters:
 kwargs (icon properties to use for displaying this cluster)
add_locations(locations: Iterable[Tuple[float, float]], **kwargs)

Add a collection of lat/long tuples to the map.

Parameters:locations (Iterable[Tuple[float, float]]) – Iterable of location tuples.
center_map()

Calculate and set map center based on current coordinates.

msticpy.nbtools.foliummap.get_center_geo_locs(loc_entities: Iterable[msticpy.nbtools.entityschema.GeoLocation], mode: str = 'median') → Tuple[float, float]

Return the geographical center of the geo locations.

Parameters:
  • loc_entities (Iterable[GeoLocation]) – GeoLocation entities with location information
  • mode (str, optional) – The averaging method to use, by default “median”. “median” and “mean” are the supported values.
Returns:

Tuple of latitude, longitude

Return type:

Tuple[Union[int, float], Union[int, float]]

msticpy.nbtools.foliummap.get_center_ip_entities(ip_entities: Iterable[msticpy.nbtools.entityschema.IpAddress], mode: str = 'median') → Tuple[float, float]

Return the geographical center of the IP address locations.

Parameters:
  • ip_entities (Iterable[IpAddress]) – IpAddress entities with location information
  • mode (str, optional) – The averaging method to us, by default “median”. “median” and “mean” are the supported values.
Returns:

Tuple of latitude, longitude

Return type:

Tuple[Union[int, float], Union[int, float]]

msticpy.nbtools.foliummap.get_map_center(entities: Iterable[msticpy.nbtools.entityschema.Entity], mode: str = 'modal')

Calculate median point between Entity IP locations.

Parameters:
  • entities (Iterable[Entity]) – An iterable of entities containing IpAddress geolocation information. The entities can be IpAddress entities or other entities that have IpAddress properties. The entities must all be of the same type.
  • mode (str, optional) – The averaging method to use, by default “median”. “median” and “mean” are the supported values.
Returns:

The Lattitude and Longitude calculated

Return type:

Tuple

Notes

The function uses the first entity in the entities to determine how to process the collection. E.g. if the first entity has properties src_ip and dest_ip of type IpAddress, these are the only properties that will be processed for the remainder of the entities.

msticpy.nbtools.morph_charts module

Morph Charts class.

class msticpy.nbtools.morph_charts.MorphCharts

Bases: object

Create Morph Charts package data and render Morph Charts site.

Create object and populate charts container.

display(data: pandas.core.frame.DataFrame, chart_name: str) → IPython.lib.display.IFrame

Prepare package data and display MorphChart in an IFrame.

Parameters:
  • data (pd.DataFrame:) – A DataFrame of data for the morphchart to plot.
  • chart_name (str:) – The name of the Morph Chart to plot.
get_chart_details(chart_name)

Get description for a chart.

Parameters:chart_name (str:) – The name of the chart you get description for.
list_charts()

Get a list of avaliable charts.

search_charts(keyword)

Search for charts that match a keyword.

Parameters:keyword (str:) – The keyword to search charts for.

msticpy.nbtools.nbinit module

Initialization for Jupyter Notebooks.

msticpy.nbtools.nbinit.init_notebook(namespace: Dict[str, Any], additional_packages: List[str] = None, extra_imports: List[str] = None, verbose: bool = False) → bool

Initialize the notebook environment.

Parameters:
  • namespace (Dict[str, Any]) – Namespace (usually globals()) into which imports are to be populated.
  • additional_packages (List[str], optional) – Additional packages to be pip installed, by default None. Packages are specified by name only or version specification (e.g. “pandas>=0.25”)
  • extra_imports (List[str], optional) – Additional import definitions, by default None. Imports are specified as up to 3 comma-delimited values in a string: “{source_pkg}, [{import_tgt}], [{alias}]” source_pkg is mandatory - equivalent to a simple “import xyz” statement. {import_tgt} specifies an object to import from the package equivalent to “from source_pkg import import_tgt” alias allows renaming of the imported object - equivent to the “as alias” part of the import statement. If you want to provide just source_pkg and alias include an additional placeholder comma: e.g. “pandas, , pd”
  • verbose (bool, optional) – Display more verbose status, by default False
Returns:

True if successful

Return type:

bool

Raises:

MsticpyException – If extra_imports data format is incorrect. If package with required version check has no version information.

msticpy.nbtools.nbdisplay module

Module for common display functions.

msticpy.nbtools.nbdisplay.display_alert(alert: Union[Mapping[str, Any], msticpy.nbtools.security_alert.SecurityAlert], show_entities: bool = False)

Display a Security Alert.

Parameters:
  • alert (Union[Mapping[str, Any], SecurityAlert]) – The alert to display as Mapping (e.g. pd.Series) or SecurityAlert
  • show_entities (bool, optional) – Whether to display entities (the default is False)
msticpy.nbtools.nbdisplay.display_logon_data(logon_event: pandas.core.frame.DataFrame, alert: msticpy.nbtools.security_alert.SecurityAlert = None, os_family: str = None)

Display logon data for one or more events.

Parameters:
  • logon_event (pd.DataFrame) – Dataframe containing one or more logon events
  • alert (SecurityAlert, optional) – obtain os_family from the security alert (the default is None)
  • os_family (str, optional) – explicitly specify os_family (Linux or Windows) (the default is None)
msticpy.nbtools.nbdisplay.display_process_tree(process_tree: pandas.core.frame.DataFrame)

Display process tree data frame. (Deprecated).

Parameters:
  • process_tree (pd.DataFrame) – Process tree DataFrame
  • display module expects the columns NodeRole and Level to (The) –
  • populated. NoteRole is one of (be) –
  • 'sibling'. Level indicates the 'hop' distance from the 'source' (or) –
  • node.
msticpy.nbtools.nbdisplay.draw_alert_entity_graph(nx_graph: networkx.classes.graph.Graph, font_size: int = 12, height: int = 15, width: int = 15, margin: float = 0.3, scale: int = 1)

Draw networkX graph with matplotlib.

Parameters:
  • nx_graph (nx.Graph) – The NetworkX graph to draw
  • font_size (int, optional) – base font size (the default is 12)
  • height (int, optional) – Image height (the default is 15)
  • width (int, optional) – Image width (the default is 15)
  • margin (float, optional) – Image margin (the default is 0.3)
  • scale (int, optional) – Position scale (the default is 1)
msticpy.nbtools.nbdisplay.exec_remaining_cells()

Execute all cells below currently selected cell.

msticpy.nbtools.nbwidgets module

Module for pre-defined widget layouts.

class msticpy.nbtools.nbwidgets.AlertSelector(alerts: pandas.core.frame.DataFrame, action: Callable[[...], None] = None, columns: List[str] = None, auto_display: bool = False)

Bases: msticpy.data.query_defns.QueryParamProvider

AlertSelector.

View list of alerts and select one for investigation. Optionally provide and action to call with the selected alert as a parameter (typically used to display the alert.)

selected_alert

The selected alert

Type:SecurityAlert
alert_id

The SystemAlertId of the selected alert

Type:str
alerts

The current alert list (DataFrame)

Type:List[SecurityAlert]
action

The callback action to execute on selection of an alert.

Type:Callable[.., None]

Create a new instance of AlertSelector.

Parameters:
  • alerts (pd.DataFrame) – DataFrame of alerts.
  • action (Callable[.., None], optional) – Optional function to execute for each selected alert. (the default is None)
  • columns (List[str], optional) – Override the default column names to use from alerts (the default is [‘StartTimeUtc’, ‘AlertName’, ‘CompromisedEntity’, ‘SystemAlertId’])
  • auto_display (bool, optional) – Whether to display on instantiation (the default is False)
display()

Display the interactive widgets.

query_params

Query parameters derived from alert.

Returns:
Return type:dict(str, str) – Dictionary of parameter names
class msticpy.nbtools.nbwidgets.GetEnvironmentKey(env_var: str, help_str: str = None, prompt: str = 'Enter the value: ', auto_display: bool = False)

Bases: object

GetEnvironmentKey.

Tries to retrieve an environment variable value. The value can be changed/set and optionally saved back to the system environment.

Create a new instance of GetEnvironmentKey.

Parameters:
  • env_var (str) – Name of the environment variable.
  • help_str (str, optional) – Help to display if the environment variable is not set. (the default is None)
  • prompt (str, optional) – Prompt to display with the text box. (the default is “Enter the value: “)
  • auto_display (bool, optional) – Whether to display on instantiation (the default is False)
display()

Display the interactive widgets.

name

Get the current name of the key.

value

Get the current value of the key.

class msticpy.nbtools.nbwidgets.Lookback(default: int = 4, label: str = 'Select time ({units}) to look back', origin_time: datetime.datetime = None, min_value: int = 1, max_value: int = 240, units: str = 'hour', auto_display: bool = False)

Bases: msticpy.data.query_defns.QueryParamProvider

ipwidget wrapper to display integer slider.

before

The default number of units before the origin_time (the default is 60)

Type:int
after

The default number of units after the origin_time (the default is 10)

Type:int
max_before

The largest value for before (the default is 600)

Type:int
max_after

The largest value for after (the default is 100)

Type:int
origin_time

The origin time (the default is datetime.utcnow())

Type:datetime
start

Query start time.

Type:datetime
end

Query end time.

Type:datetime

Create an instance of the lookback slider widget.

Parameters:
  • default (int, optional) – The default ‘lookback’ time (the default is 4)
  • label (str, optional) – The description to display (the default is ‘Select time ({units}) to look back’)
  • origin_time (datetime, optional) – The origin time (the default is datetime.utcnow())
  • min_value (int, optional) – Minimum value (the default is 1)
  • max_value (int, optional) – Maximum value (the default is 240)
  • units (str, optional) – Time unit (the default is ‘hour’) Permissable values are ‘day’, ‘hour’, ‘minute’, ‘second’ These can all be abbreviated down to initial characters (‘d’, ‘m’, etc.)
  • auto_display (bool, optional) – Whether to display on instantiation (the default is False)
display()

Display the interactive widgets.

lookback

Return current widget lookback value.

query_params

Query parameters derived from alert.

Returns:
Return type:dict(str, str) – Dictionary of parameter names
value

Return current widget lookback value.

class msticpy.nbtools.nbwidgets.Progress(completed_len: int, visible: bool = True)

Bases: object

UI Progress bar.

Instantiate new _Progress UI.

Parameters:
  • completed_len (int) – The expected value that indicates 100% done.
  • visible (bool) – If True start the progress UI visible, by default True.
hide()

Hide the controls.

max

Return the current progress maximum value.

Returns:Max value
Return type:int
show()

Make the controls visible.

update_progress(new_total: int = 0, delta: int = 0)

Update progress UI by increment or new total.

Parameters:
  • new_total (int, optional) – New total, by default 0
  • delta (int, optional) – Increment to update current total, by default 0
value

Return the current progress value.

Returns:Progess value
Return type:int
class msticpy.nbtools.nbwidgets.QueryTime(origin_time: datetime.datetime = None, before: int = 60, after: int = 10, max_before: int = 600, max_after: int = 100, label: str = None, units: str = 'min', auto_display: bool = False)

Bases: msticpy.data.query_defns.QueryParamProvider

QueryTime.

Composite widget to capture date and time origin and set start and end times for queries.

before

The default number of units before the origin_time (the default is 60)

Type:int
after

The default number of units after the origin_time (the default is 10)

Type:int
max_before

The largest value for before (the default is 600)

Type:int
max_after

The largest value for after (the default is 100)

Type:int
origin_time

The origin time (the default is datetime.utcnow())

Type:datetime
start

Query start time.

Type:datetime
end

Query end time.

Type:datetime
query_params

Create new instance of QueryTime.

Parameters:
  • origin_time (datetime, optional) – The origin time (the default is datetime.utcnow())
  • label (str, optional) – The description to display (the default is ‘Select time ({units}) to look back’)
  • before (int, optional) – The default number of units before the origin_time (the default is 60)
  • after (int, optional) – The default number of units after the origin_time (the default is 10)
  • max_before (int, optional) – The largest value for before (the default is 600)
  • max_after (int, optional) – The largest value for after (the default is 100)
  • units (str, optional) – Time unit (the default is ‘min’) Permissable values are ‘day’, ‘hour’, ‘minute’, ‘second’ These can all be abbreviated down to initial characters (‘d’, ‘m’, etc.)
  • auto_display (bool, optional) – Whether to display on instantiation (the default is False)
display()

Display the interactive widgets.

end

Query end time.

query_params

Query parameters derived from alert.

Returns:
Return type:dict(str, str) – Dictionary of parameter names
start

Query start time.

class msticpy.nbtools.nbwidgets.SelectString(description: str = 'Select an item', item_list: List[str] = None, action: Callable[[...], None] = None, item_dict: Mapping[str, str] = None, auto_display: bool = False, height: str = '100px', width: str = '50%', display_filter: bool = True)

Bases: object

Selection list from list or dict.

value

The selected value.

Type:Any
item_action

Action to call for each selection.

Type:Callable[.., None]

Select an item from a list or dict.

Parameters:
  • description (str, optional) – The widget label to display. (the default is ‘Select an item’)
  • item_list (List[str], optional) – A list of items to select from (the default is None)
  • item_dict (Mapping[str, str], optional) – A dict of items to select from. When using item_dict the keys are displayed as the selectable items and value corresponding to the selected key is set as the value property. (the default is None)
  • action (Callable[.., None], optional) – function to call when item selected (passed a single parameter - the value of the currently selected item) (the default is None)
  • auto_display (bool, optional) – Whether to display on instantiation (the default is False)
  • height (str, optional) – Selection list height (the default is ‘100px’)
  • width (str, optional) – Selection list width (the default is ‘50%’)
  • display_filter (bool, optional) – Whether to display item filter (the default is True)
display()

Display the interactive widget.

class msticpy.nbtools.nbwidgets.SelectSubset(source_items: Union[Dict[str, str], List[Any]], default_selected: Union[Dict[str, str], List[Any]] = None, display_filter: bool = True)

Bases: object

Class to select a subset from an input list.

selected_values

The selected item values.

Type:List[Any]
selected_items

The selected items label and value

Type:List[Any]

Create instance of SelectSubset widget.

Parameters:
  • source_items (Union[Dict[str, str], List[Any]]) – List of source items - either a dictionary(label, value), a simple list or a list of (label, value) tuples.
  • default_selected (Union[Dict[str, str], List[Any]]) – Populate the selected list with values - either a dictionary(label, value), a simple list or a list of (label, value) tuples.
  • display_filter (bool, optional) – Whether to display item filter (the default is True)
selected_items

Return a list of the selected items.

If the input list is a list of tuples, this returns a list of the selected tuples.

Returns:List of items in the selected list.
Return type:List[Any]
selected_values

Return list of selected values.

If the input list is a list of tuples, this returns a list of values of the items.

Returns:List of selected item values.
Return type:List[Any]
class msticpy.nbtools.nbwidgets.TimeUnit

Bases: enum.Enum

Time unit enumeration and value.

day = 86400
hour = 3600
min = 60
sec = 1

msticpy.nbtools.observationlist module

Observation summary collector.

class msticpy.nbtools.observationlist.Observation(caption: str, data: Any, description: Optional[str] = None, data_type: Optional[str] = None, link: Optional[str] = None, score: int = 0, tags: List[str] = NOTHING, additional_properties: Dict[str, Any] = NOTHING)

Bases: object

Observation definition.

caption

The title and index of the observation. Must be unique in the observation set.

Type:str
description

Text description of the observation. (default is None)

Type:Optional[str]
data

The data to be stored for the observation (e.g. a pandas DataFrame). The object should implement a useable __repr__ to display correctly.

Type:Any
data_type

The data type of the data property

Type:Optional[str]

Link (usually a document-local link) to the originating section of the notebook. (default is None)

Type:Optional[str]
score

The risk score associated with the observation. (default is 0)

Type:int
tags

Optional list of tags.

Type:List[str]
additional_properties Dict[str, Any]

Additional properties not covered by core properties.

classmethod all_fields() → List[str]

Return all fields of Observation class.

Returns:List of all field names.
Return type:List[str]
classmethod required_fields() → List[str]

Return required fields for Observation instance.

Returns:List of field names.
Return type:List[str]
class msticpy.nbtools.observationlist.Observations(observationlist: Optional[msticpy.nbtools.observationlist.Observations] = None)

Bases: object

Class to collect and display investigation observations.

Create an observation list.

Parameters:observationlist (Observations, optional) – Initialize from an existing Observations list (the default is None)
add_observation(observation: msticpy.nbtools.observationlist.Observation = None, **kwargs)

Add an observation.

Add an observation as an Observation instance or as a set of keyword parameters (see Observation class for acceptable values). Any keyword parameters that are not properties of Observation will be stored in the Observation.additional_properties dictionary

Parameters:observation (Observation) – An observation instance.
Other Parameters:
 kwargs (str, Any) – List of key value pairs of the property names and values of the Observation to be stored.
display_observations()

Display the current observations using IPython.display.

observations

Return the current list of Observations.

Returns:The current ordered dictionary of Observations
Return type:Mapping[str, Observation]

msticpy.nbtools.process_tree module

Process Tree Visualization.

class msticpy.nbtools.process_tree.ProcessTreeAccessor(pandas_obj)

Bases: object

Pandas api extension for Process Tree.

Instantiate pandas extension class.

build(schema: msticpy.sectools.process_tree_utils.ProcSchema = None, **kwargs) → pandas.core.frame.DataFrame

Build process trees from the process events.

Parameters:
  • procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
  • schema (ProcSchema, optional) – The column schema to use, by default None If None, then the schema is inferred
  • show_progress (bool) – Shows the progress of the process (helpful for very large data sets)
  • debug (bool) – If True produces extra debugging output, by default False
Returns:

Process tree dataframe.

Return type:

pd.DataFrame

Notes

It is not necessary to call this before plot. The process tree is built automatically. This is only needed if you want to return the processed tree data as a DataFrame

plot(**kwargs) → Tuple[bokeh.plotting.figure.figure, bokeh.models.layouts.LayoutDOM]

Build and plot a process tree.

Parameters:
  • schema (ProcSchema, optional) – The data schema to use for the data set, by default None (if None the schema is inferred)
  • output_var (str, optional) – Output variable for selected items in the tree, by default None
  • legend_col (str, optional) – The column used to color the tree items, by default None
  • show_table (bool) – Set to True to show a data table, by default False.
Other Parameters:
 
  • height (int, optional) – The height of the plot figure (the default is 700)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • title (str, optional) – Title to display (the default is None)
Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

class msticpy.nbtools.process_tree.TreeResult(proc_tree, schema, levels, n_rows)

Bases: tuple

Create new instance of TreeResult(proc_tree, schema, levels, n_rows)

count()

Return number of occurrences of value.

index()

Return first index of value.

Raises ValueError if the value is not present.

levels

Alias for field number 2

n_rows

Alias for field number 3

proc_tree

Alias for field number 0

schema

Alias for field number 1

msticpy.nbtools.process_tree.build_and_show_process_tree(data: pandas.core.frame.DataFrame, schema: msticpy.sectools.process_tree_utils.ProcSchema = None, output_var: str = None, legend_col: str = None, **kwargs) → Tuple[bokeh.plotting.figure.figure, bokeh.models.layouts.LayoutDOM]

Build process tree from data and plot a tree.

Parameters:
  • data (pd.DataFrame) – Window process creation or Linux Auditd events
  • schema (ProcSchema) – The data schema to use for the data set, by default None (if None the schema is inferred)
  • output_var (str, optional) – Output variable for selected items in the tree, by default None
  • legend_col (str, optional) – The column used to color the tree items, by default None
  • kwargs (Dict[str, Any]) – Additional arguments passed to plot_process_tree
Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

msticpy.nbtools.process_tree.plot_process_tree(data: pandas.core.frame.DataFrame, schema: msticpy.sectools.process_tree_utils.ProcSchema = None, output_var: str = None, legend_col: str = None, show_table: bool = False, **kwargs) → Tuple[bokeh.plotting.figure.figure, bokeh.models.layouts.LayoutDOM]

Plot a Process Tree Visualization.

Parameters:
  • data (pd.DataFrame) – DataFrame containing one or more Process Trees
  • schema (ProcSchema, optional) – The data schema to use for the data set, by default None (if None the schema is inferred)
  • output_var (str, optional) – Output variable for selected items in the tree, by default None
  • legend_col (str, optional) – The column used to color the tree items, by default None
  • show_table (bool) – Set to True to show a data table, by default False.
Other Parameters:
 
  • height (int, optional) – The height of the plot figure (the default is 700)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • title (str, optional) – Title to display (the default is None)
Returns:

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type:

Tuple[figure, LayoutDOM]

Raises:

ProcessTreeSchemaException – If the data set schema is not valid for the plot.

Notes

The output_var variable will be overwritten with any selected values.

msticpy.nbtools.timeseries module

Module for common display functions.

msticpy.nbtools.timeseries.display_timeseries_anomolies(data: pandas.core.frame.DataFrame, y: str = 'Total', time_column: str = 'TimeGenerated', anomalies_column: str = 'anomalies', source_columns: list = None, period: int = 30, **kwargs) → bokeh.plotting.figure.figure

Display time series anomalies visualization.

Parameters:
  • data (pd.DataFrame) – DataFrame as a time series data set retreived from KQL time series functions. Dataframe must have columns specified in y, time_column and anomalies_column parameters
  • y (str, optional) – Name of column holding numeric values to plot against time series to determine anomolies (the default is ‘Total’)
  • time_column (str, optional) – Name of the timestamp column (the default is ‘TimeGenerated’)
  • anomalies_column (str, optional) – Name of the column holding binary status(1/0) for anomaly/benign (the default is ‘anomalies’)
  • source_columns (list, optional) – List of default source columns to use in tooltips (the default is None)
  • period (int, optional) – Period of the dataset for hourly-no of days, for daily-no of weeks. This is used to correctly calculate the plot height. (the default is 30)
Other Parameters:
 
  • ref_time (datetime, optional) – Input reference line to display (the default is None)
  • title (str, optional) – Title to display (the default is None)
  • legend (str, optional) – Where to position the legend None, left, right or inline (default is None)
  • yaxis (bool, optional) – Whether to show the yaxis and labels
  • range_tool (bool, optional) – Show the the range slider tool (default is True)
  • height (int, optional) – The height of the plot figure (the default is auto-calculated height)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • xgrid (bool, optional) – Whether to show the xaxis grid (default is True)
  • ygrid (bool, optional) – Whether to show the yaxis grid (default is False)
  • color (list, optional) – List of colors to use in 3 plots as specified in order 3 plots- line(observed), circle(baseline), circle_x/user specified(anomalies). (the default is [“navy”, “green”, “firebrick”])
Returns:

The bokeh plot figure.

Return type:

figure

msticpy.nbtools.timeline module

Module for common display functions.

class msticpy.nbtools.timeline.ProcessTreeAccessor(pandas_obj)

Bases: object

Pandas api extension for Timeline.

Instantiate pandas extension class.

plot(**kwargs) → bokeh.plotting.figure.figure

Display a timeline of events.

Parameters:
  • time_column (str, optional) – Name of the timestamp column (the default is ‘TimeGenerated’)
  • source_columns (list, optional) – List of default source columns to use in tooltips (the default is None)
Other Parameters:
 
  • title (str, optional) – Title to display (the default is None)
  • alert (SecurityAlert, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_event (Any, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_time (datetime, optional) – Add a reference line/label using ref_time (the default is None)
  • group_by (str) – (where data is a DataFrame) The column to group timelines on
  • legend (str, optional) – “left”, “right”, “inline” or “none” (the default is to show a legend when plotting multiple series and not to show one when plotting a single series)
  • yaxis (bool, optional) – Whether to show the yaxis and labels (default is False)
  • ygrid (bool, optional) – Whether to show the yaxis grid (default is False)
  • xgrid (bool, optional) – Whether to show the xaxis grid (default is True)
  • range_tool (bool, optional) – Show the the range slider tool (default is True)
  • height (int, optional) – The height of the plot figure (the default is auto-calculated height)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • color (str) – Default series color (default is “navy”)
  • overlay_color (str) – Overlay series color (default is “green”)
Returns:

The bokeh plot figure.

Return type:

figure

plot_values(y: str, **kwargs) → bokeh.plotting.figure.figure

Display a timeline of events.

Parameters:
  • time_column (str, optional) – Name of the timestamp column (the default is ‘TimeGenerated’)
  • y (str) – The column name holding the value to plot vertically
  • source_columns (list, optional) – List of default source columns to use in tooltips (the default is None)
Other Parameters:
 
  • x (str, optional) – alias of time_column
  • title (str, optional) – Title to display (the default is None)
  • ref_event (Any, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_time (datetime, optional) – Add a reference line/label using ref_time (the default is None)
  • group_by (str) – (where data is a DataFrame) The column to group timelines on
  • legend (str, optional) – “left”, “right”, “inline” or “none” (the default is to show a legend when plotting multiple series and not to show one when plotting a single series)
  • yaxis (bool, optional) – Whether to show the yaxis and labels
  • range_tool (bool, optional) – Show the the range slider tool (default is True)
  • height (int, optional) – The height of the plot figure (the default is auto-calculated height)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • color (str) – Default series color (default is “navy”). This is overridden by automatic color assignments if plotting a grouped chart
  • kind (Union[str, List[str]]) – one or more glyph types to plot., optional Supported types are “circle”, “line” and “vbar” (default is “vbar”)
Returns:

The bokeh plot figure.

Return type:

figure

msticpy.nbtools.timeline.display_timeline(data: Union[pandas.core.frame.DataFrame, dict], time_column: str = 'TimeGenerated', source_columns: list = None, **kwargs) → bokeh.plotting.figure.figure

Display a timeline of events.

Parameters:
  • data (Union[dict, pd.DataFrame]) –

    Either dict of data sets to plot on the timeline with the following structure:

    Key (str) - Name of data set to be displayed in legend
    Value (Dict[str, Any]) - containing:
        data (pd.DataFrame) - Data to plot
        time_column (str, optional) - Name of the timestamp column
        source_columns (list[str], optional) - source columns to use
            in tooltips
        color (str, optional) - color of datapoints for this data
    If any of the last values are omitted, they default to the values
    supplied as parameters to the function (see below)
    

    Or DataFrame as a single data set or grouped into individual plot series using the group_by parameter

  • time_column (str, optional) – Name of the timestamp column (the default is ‘TimeGenerated’)
  • source_columns (list, optional) – List of default source columns to use in tooltips (the default is None)
Other Parameters:
 
  • title (str, optional) – Title to display (the default is None)
  • alert (SecurityAlert, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_event (Any, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_time (datetime, optional) – Add a reference line/label using ref_time (the default is None)
  • group_by (str) – (where data is a DataFrame) The column to group timelines on
  • legend (str, optional) – “left”, “right”, “inline” or “none”[data] (the default is to show a legend when plotting multiple series and not to show one when plotting a single series)
  • yaxis (bool, optional) – Whether to show the yaxis and labels (default is False)
  • ygrid (bool, optional) – Whether to show the yaxis grid (default is False)
  • xgrid (bool, optional) – Whether to show the xaxis grid (default is True)
  • range_tool (bool, optional) – Show the the range slider tool (default is True)
  • height (int, optional) – The height of the plot figure (the default is auto-calculated height)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • color (str) – Default series color (default is “navy”)
  • overlay_color (str) – Overlay series color (default is “green”)
Returns:

The bokeh plot figure.

Return type:

figure

msticpy.nbtools.timeline.display_timeline_values(data: pandas.core.frame.DataFrame, y: str, time_column: str = 'TimeGenerated', source_columns: list = None, **kwargs) → bokeh.plotting.figure.figure

Display a timeline of events.

Parameters:
  • data (pd.DataFrame) – DataFrame as a single data set or grouped into individual plot series using the group_by parameter
  • time_column (str, optional) – Name of the timestamp column (the default is ‘TimeGenerated’)
  • y (str) – The column name holding the value to plot vertically
  • source_columns (list, optional) – List of default source columns to use in tooltips (the default is None)
Other Parameters:
 
  • x (str, optional) – alias of time_column
  • title (str, optional) – Title to display (the default is None)
  • ref_event (Any, optional) – Add a reference line/label using the alert time (the default is None)
  • ref_time (datetime, optional) – Add a reference line/label using ref_time (the default is None)
  • group_by (str) – (where data is a DataFrame) The column to group timelines on
  • legend (str, optional) – “left”, “right”, “inline” or “none” (the default is to show a legend when plotting multiple series and not to show one when plotting a single series)
  • yaxis (bool, optional) – Whether to show the yaxis and labels
  • range_tool (bool, optional) – Show the the range slider tool (default is True)
  • height (int, optional) – The height of the plot figure (the default is auto-calculated height)
  • width (int, optional) – The width of the plot figure (the default is 900)
  • color (str) – Default series color (default is “navy”). This is overridden by automatic color assignments if plotting a grouped chart
  • kind (Union[str, List[str]]) – one or more glyph types to plot., optional Supported types are “circle”, “line” and “vbar” (default is “vbar”)
Returns:

The bokeh plot figure.

Return type:

figure

Module contents

Jupyter Notebook Security Tools.