msticpy.analysis.polling_detection module
Polling detection module.
This module is used to highlight edges that are highly periodic and likely to be generated automatically. The periodic edges could be software polling a server for updates or malware beaconing and checking for instructions.
There is currently only one technique available for filtering polling data which is the class PeriodogramPollingDetector.
- class msticpy.analysis.polling_detection.PeriodogramPollingDetector(data: DataFrame, copy: bool = False)
Bases:
object
Polling detector using the Periodogram to detect strong frequencies.
- data
Dataframe containing the data to be analysed. Must contain a column of edges and a column of timestamps
- Type:
DataFrame
Create periodogram polling detector.
- Parameters:
data (DataFrame) – Dataframe containing the data to be analysed. Must contain a column of edges and a column of timestamps
copy (bool) – A bool to indicate whether to copy the dataframe supplied to data
- detect_polling(time_column: str, groupby: str | List[str] | None = None) None
Detect the time interval which is highly periodic.
Runs PeriodogramPollingDetector._detect_polling_arr on the time_column and populates a p_value column, dominant_frequency column and dominant_interval column.
If groupby column(s) are given then PeriodogramPollingDetector._detect_polling_arr is ran on each group.
- Parameters:
time_column (str) – The name of the column that contains timestamps
groupby (str or list[str], optional) – Column(s) to group by