msticpy.vis.process_tree module

Process Tree Visualization.

class msticpy.vis.process_tree.ProcessTreeAccessor(*args, **kwargs)

Bases: object

Pandas api extension for Process Tree.

Deprecated since version 1.7.0: Will be removed in version 2.0.0

Instantiate pandas extension class.

build(schema: Optional[ProcSchema] = None, **kwargs) → DataFrame

Build process trees from the process events.

Parameters

procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
schema (ProcSchema, optional) – The column schema to use, by default None If None, then the schema is inferred
show_summary (bool) – Shows summary of the built tree, default is False. : bool
debug (bool) – If True produces extra debugging output, by default False

Returns

Process tree dataframe.

Return type

pd.DataFrame

Notes

It is not necessary to call this before plot. The process tree is built automatically. This is only needed if you want to return the processed tree data as a DataFrame

plot(**kwargs) → Tuple[bokeh.plotting.figure, bokeh.models.LayoutDOM]

Build and plot a process tree.

Parameters

schema (ProcSchema, optional) – The data schema to use for the data set, by default None (if None the schema is inferred)
output_var (str, optional) – Output variable for selected items in the tree, by default None
legend_col (str, optional) – The column used to color the tree items, by default None
show_table (bool) – Set to True to show a data table, by default False.
height (int, optional) – The height of the plot figure (the default is 700)
width (int, optional) – The width of the plot figure (the default is 900)
title (str, optional) – Title to display (the default is None)
hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.
pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal) or ‘hex’ (hexadecimal), default is ‘hex’.

Returns

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type

Tuple[figure, LayoutDOM]

class msticpy.vis.process_tree.TreeResult(proc_tree, schema, levels, n_rows)

Bases: tuple

Create new instance of TreeResult(proc_tree, schema, levels, n_rows)

count(value, /): Return number of occurrences of value.

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

levels: Alias for field number 2

n_rows: Alias for field number 3

proc_tree: Alias for field number 0

schema: Alias for field number 1

msticpy.vis.process_tree.build_and_show_process_tree(data: DataFrame, schema: Optional[ProcSchema] = None, output_var: Optional[str] = None, legend_col: Optional[str] = None, **kwargs) → Tuple[bokeh.plotting.figure, bokeh.models.LayoutDOM]

Build process tree from data and plot a tree.

Parameters

data (pd.DataFrame) – Window process creation or Linux Auditd events
schema (ProcSchema) – The data schema to use for the data set, by default None (if None the schema is inferred)
output_var (str, optional) – Output variable for selected items in the tree, by default None
legend_col (str, optional) – The column used to color the tree items, by default None
kwargs (Dict[str, Any]) – Additional arguments passed to plot_process_tree
height (int, optional) – The height of the plot figure (the default is 700)
width (int, optional) – The width of the plot figure (the default is 900)
title (str, optional) – Title to display (the default is None)
hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.
pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal) or ‘hex’ (hexadecimal), default is ‘hex’.

Returns

figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.

Return type

Tuple[figure, LayoutDOM]

Notes

For full parameter set for process tree display see the help for plot_process_tree.