msticpy.transform.proc_tree_schema module

Process Tree Schema module for Process Tree Visualization.

class msticpy.transform.proc_tree_schema.ColNames

Bases: object

Class to hold constant column names.

EffectiveLogonId: str = 'EffectiveLogonId'
EffectiveLogonId_par: str = 'EffectiveLogonId_par'
new_process_lc: str = 'new_process_lc'
new_process_lc_par: str = 'new_process_lc_par'
parent_key: str = 'parent_key'
parent_proc_lc: str = 'parent_proc_lc'
proc_key: str = 'proc_key'
source_index: str = 'source_index'
source_index_par: str = 'source_index_par'
timestamp_orig_par: str = 'timestamp_orig_par'
class msticpy.transform.proc_tree_schema.ProcSchema(process_name: str, process_id: str, parent_id: str, time_stamp: str, cmd_line: str | None = None, path_separator: str = '\\', user_name: str | None = None, logon_id: str | None = None, host_name_column: str | None = None, parent_name: str | None = None, target_logon_id: str | None = None, user_id: str | None = None, event_id_column: str | None = None, event_id_identifier: Any | None = None)

Bases: object

Property name lookup for Process event schema.

Each property maps a generic column name on to the schema of the input data. Most of these are mandatory, some are optional - not supplying them may result in a less complete tree. The time_stamp column should be supplied although defaults to ‘TimeGenerated’.

Method generated by attrs for class ProcSchema.

classmethod blank_schema_dict() dict[str, Any]

Return blank schema dictionary.

cmd_line: str | None
property column_map: dict[str, str]

Return a dictionary that maps fields to schema names.

property columns: list[str]

Return list of columns in schema data source.

property event_filter: Any

Return the event type/ID to process for the current schema.

Returns:

The value of the event ID to process.

Return type:

Any

Raises:

ProcessTreeSchemaException – If the schema is not known.

event_id_column: str | None
event_id_identifier: Any | None
property event_type_col: str

Return the column name containing the event identifier.

Returns:

The name of the event ID column.

Return type:

str

Raises:

ProcessTreeSchemaException – If the schema is not known.

get_df_cols(data: DataFrame) list[str]

Return the subset of columns that are present in data.

property host_name: str | None

Return host name column.

host_name_column: str | None
logon_id: str | None
parent_id: str
parent_name: str | None
path_separator: str
process_id: str
process_name: str
property required_columns: list[str]

Return columns required for Init.

target_logon_id: str | None
time_stamp: str
user_id: str | None
user_name: str | None
exception msticpy.transform.proc_tree_schema.ProcessTreeSchemaException(*args, help_uri: tuple[str, str] | str | None = None, **kwargs)

Bases: MsticpyUserError

Custom exception for Process Tree schema.

Create an instance of the MsticpyUserError class.

Parameters:
  • args (Iterable of strings) – Args will be printed as text of the exception.

  • help_uri (Union[tuple[str, str], str, None], optional) – Primary URL, by default “https://msticpy.readthedocs.org

  • title (str, optional) – If a title keyword argument is supplied it will be used to create the title line.

  • *_uri (str, optional) – Additional keyword arguments who’s names end in “_uri” will be used to create a list of references in addition to the primary help_uri

  • display (bool, optional) – Display the exception when created. By default, False

Notes

The exception text is displayed when the exception is created and not when it is raised. We recommend creating the exception within the raise statement. E.g.

raise MsticpyUserException(arg1, arg2…)

Developer note: Any classes derived from MsticpyUserError should be named with an “Error” suffix to distinguish these from standard exception types.

DEF_HELP_URI: ClassVar[tuple[str, str]] = ('MSTICPy Process Tree documentation ', 'https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html')
args
display_exception() None

Output the exception HTML or text friendly exception.

property help_uri: tuple[str, str] | str

Get the default help URI.

classmethod no_display_exceptions() Generator[None, Any, None]

Context manager to block exception display to IPython/stdout.

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.