msticpy.analysis.observationlist module

Observation summary collector.

class msticpy.analysis.observationlist.Observation(caption, data, description=None, data_type=None, link=None, score=0, tags=NOTHING, additional_properties=NOTHING, timestamp=None, time_span=None, time_column=None, filter=None, schema=None)

Bases: object

Observation definition.

Notes

captionstr

The title and index of the observation. Must be unique in the observation set.

descriptionOptional[str]

Text description of the observation. (default is None)

dataAny

The data to be stored for the observation (e.g. a pandas DataFrame). The object should implement a useable __repr__ to display correctly.

data_typeOptional[str]

The data type of the data property

linkOptional[str]

Link (usually a document-local link) to the originating section of the notebook. (default is None)

scoreint

The risk score associated with the observation. (default is 0)

tagsList[str]

Optional list of tags.

additional_properties Dict[str, Any]

Additional properties not covered by core properties.

Method generated by attrs for class Observation.

Parameters:

• caption (str)

• data (Any)

• description (str | None)

• data_type (str | None)

• link (str | None)

• score (int)

• tags (list[str])

• additional_properties (dict[str, Any])

• timestamp (datetime | None)

• time_span (TimeSpan | None)

• time_column (str | None)

• filter (str | None)

• schema (str | None)

additional_properties: dict[str, Any]

classmethod all_fields()

Return all fields of Observation class.

Returns:

Set of all field names.

Return type:

Set[str]

caption: str

data: Any

data_type: str | None

description: str | None

display()

Display the observation.

filter: str | None

property filtered_data: Any

Apply filtering to data if it is a DataFrame.

link: str | None

classmethod required_fields()

Return required fields for Observation instance.

Returns:

List of field names.

Return type:

List[str]

schema: str | None

score: int

tags: list[str]

time_column: str | None

time_span: TimeSpan | None

timestamp: datetime | None

class msticpy.analysis.observationlist.Observations(observationlist=None)

Bases: object

Class to collect and display investigation observations.

Create an observation list.

Parameters:

observationlist (Observations, optional) – Initialize from an existing Observations list (the default is None)

add_observation(observation=None, **kwargs)

Add an observation.

Add an observation as an Observation instance or as a set of keyword parameters (see Observation class for acceptable values). Any keyword parameters that are not properties of Observation will be stored in the Observation.additional_properties dictionary

Parameters:

• observation (Observation) – An observation instance.

• kwargs (str, Any) – List of key value pairs of the property names and values of the Observation to be stored.

display_observations()

Display the current observations using IPython.display.

observation_list: dict[str, Observation]

property observations: Mapping[str, Observation]

Return the current list of Observations.

Returns:

The current ordered dictionary of Observations

Return type:

Mapping[str, Observation]