msticpy.analysis.anomalous_sequence.utils.data_structures module
Useful helper data structure classes for modelling sessions.
- class msticpy.analysis.anomalous_sequence.utils.data_structures.Cmd(name: str, params: set | dict)
Bases:
object
Class to store commands with accompanying params (and optionally values).
Instantiate the Cmd class.
- Parameters:
name (str) – name of the command. e.g. for Exchange online: “Set-Mailbox”
params (Union[set, dict]) –
set of accompanying params or dict of accompanying params and values. e.g.:
{'Identity', 'ForwardingEmailAddress'}
or:
{'Identity': 'some identity', 'ForwardingEmailAddress': 'an_email@email.com'}
- class msticpy.analysis.anomalous_sequence.utils.data_structures.StateMatrix(states: dict | defaultdict, unk_token: str)
Bases:
dict
Class for storing trained counts/probabilities.
Containr for dict of counts/probs or dict of dicts of cond counts/probs.
If you try and retrieve the count/probability for an unseen command/param/value from the resulting object, it will return the value associated with the unk_token key.
- Parameters:
states (Union[dict, defaultdict]) –
Either a dict representing counts or probabilities. Or a dict of dicts representing conditional counts or conditional probabilities. E.g.:
{'Set-Mailbox': 20,'##UNK##': 1}
or:
{'Set-Mailbox': {'Set-Mailbox': 5, '##UNK##': 1}, '##UNK##': {'Set-Mailbox': 1, '##UNK##': 1}}
unk_token (str) – dummy token to signify an unseen command (e.g. “##UNK##”). This token should be present in the states keys. And if states is a dict of dicts, then the unk_token should be present in the keys of the outer dict and all the inner dicts.
- clear() None. Remove all items from D.
- copy() a shallow copy of D
- fromkeys(value=None, /)
Create a new dictionary with keys from iterable and values set to value.
- get(key, default=None, /)
Return the value for key if key is in the dictionary, else default.
- items() a set-like object providing a view on D's items
- keys() a set-like object providing a view on D's keys
- pop(k[, d]) v, remove specified key and return the corresponding value.
If key is not found, default is returned if given, otherwise KeyError is raised
- popitem()
Remove and return a (key, value) pair as a 2-tuple.
Pairs are returned in LIFO (last-in, first-out) order. Raises KeyError if the dict is empty.
- setdefault(key, default=None, /)
Insert key with a value of default if key is not in the dictionary.
Return the value for key if key is in the dictionary, else default.
- update([E, ]**F) None. Update D from dict/iterable E and F.
If E is present and has a .keys() method, then does: for k in E: D[k] = E[k] If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v In either case, this is followed by: for k in F: D[k] = F[k]
- values() an object providing a view on D's values