msticpy.transform.proc_tree_schema module
Process Tree Schema module for Process Tree Visualization.
- class msticpy.transform.proc_tree_schema.ColNames
Bases:
object
Class to hold constant column names.
- EffectiveLogonId: str = 'EffectiveLogonId'
- EffectiveLogonId_par: str = 'EffectiveLogonId_par'
- new_process_lc: str = 'new_process_lc'
- new_process_lc_par: str = 'new_process_lc_par'
- parent_key: str = 'parent_key'
- parent_proc_lc: str = 'parent_proc_lc'
- proc_key: str = 'proc_key'
- source_index: str = 'source_index'
- source_index_par: str = 'source_index_par'
- timestamp_orig_par: str = 'timestamp_orig_par'
- class msticpy.transform.proc_tree_schema.ProcSchema(process_name: str, process_id: str, parent_id: str, time_stamp: str, cmd_line: str | None = None, path_separator: str = '\\', user_name: str | None = None, logon_id: str | None = None, host_name_column: str | None = None, parent_name: str | None = None, target_logon_id: str | None = None, user_id: str | None = None, event_id_column: str | None = None, event_id_identifier: Any | None = None)
Bases:
object
Property name lookup for Process event schema.
Each property maps a generic column name on to the schema of the input data. Most of these are mandatory, some are optional - not supplying them may result in a less complete tree. The time_stamp column should be supplied although defaults to ‘TimeGenerated’.
- classmethod blank_schema_dict() dict[str, Any]
Return blank schema dictionary.
- cmd_line: str | None = None
- property column_map: dict[str, str]
Return a dictionary that maps fields to schema names.
- property columns: list[str]
Return list of columns in schema data source.
- property event_filter: Any
Return the event type/ID to process for the current schema.
- Returns:
The value of the event ID to process.
- Return type:
Any
- Raises:
ProcessTreeSchemaException – If the schema is not known.
- event_id_column: str | None = None
- event_id_identifier: Any | None = None
- property event_type_col: str
Return the column name containing the event identifier.
- Returns:
The name of the event ID column.
- Return type:
str
- Raises:
ProcessTreeSchemaException – If the schema is not known.
- property host_name: str | None
Return host name column.
- host_name_column: str | None = None
- logon_id: str | None = None
- parent_id: str
- parent_name: str | None = None
- path_separator: str = '\\'
- process_id: str
- process_name: str
- property required_columns: list[str]
Return columns required for Init.
- target_logon_id: str | None = None
- time_stamp: str
- user_id: str | None = None
- user_name: str | None = None
- exception msticpy.transform.proc_tree_schema.ProcessTreeSchemaException(*args, help_uri: tuple[str, str] | str | None = None, **kwargs)
Bases:
MsticpyUserError
Custom exception for Process Tree schema.
Create an instance of the MsticpyUserError class.
- Parameters:
args (Iterable of strings) – Args will be printed as text of the exception.
help_uri (Union[tuple[str, str], str, None], optional) – Primary URL, by default “https://msticpy.readthedocs.org”
title (str, optional) – If a title keyword argument is supplied it will be used to create the title line.
*_uri (str, optional) – Additional keyword arguments who’s names end in “_uri” will be used to create a list of references in addition to the primary help_uri
display (bool, optional) – Display the exception when created. By default, False
Notes
The exception text is displayed when the exception is created and not when it is raised. We recommend creating the exception within the raise statement. E.g.
raise MsticpyUserException(arg1, arg2…)
Developer note: Any classes derived from MsticpyUserError should be named with an “Error” suffix to distinguish these from standard exception types.
- DEF_HELP_URI: ClassVar[tuple[str, str]] = ('MSTICPy Process Tree documentation ', 'https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html')
- args
- display_exception() None
Output the exception HTML or text friendly exception.
- property help_uri: tuple[str, str] | str
Get the default help URI.
- classmethod no_display_exceptions() Generator[None, Any, None]
Context manager to block exception display to IPython/stdout.
- with_traceback()
Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.