msticpy.vis.process_tree module
Process Tree Visualization.
- class msticpy.vis.process_tree.ProcessTreeAccessor(*args, **kwargs)
Bases:
object
Pandas api extension for Process Tree.
Deprecated since version 1.7.0: Will be removed in version 2.0.0
Instantiate pandas extension class.
- build(schema: ProcSchema | None = None, **kwargs) DataFrame
Build process trees from the process events.
- Parameters:
procs (pd.DataFrame) – Process events (Windows 4688 or Linux Auditd)
schema (ProcSchema, optional) – The column schema to use, by default None If None, then the schema is inferred
show_summary (bool) – Shows summary of the built tree, default is False. : bool
debug (bool) – If True produces extra debugging output, by default False
- Returns:
Process tree dataframe.
- Return type:
pd.DataFrame
Notes
It is not necessary to call this before plot. The process tree is built automatically. This is only needed if you want to return the processed tree data as a DataFrame
- plot(**kwargs) Tuple[figure, bokeh.models.LayoutDOM]
Build and plot a process tree.
- Parameters:
schema (ProcSchema, optional) – The data schema to use for the data set, by default None (if None the schema is inferred)
output_var (str, optional) – Output variable for selected items in the tree, by default None
legend_col (str, optional) – The column used to color the tree items, by default None
show_table (bool) – Set to True to show a data table, by default False.
height (int, optional) – The height of the plot figure (the default is 700)
width (int, optional) – The width of the plot figure (the default is 900)
title (str, optional) – Title to display (the default is None)
hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.
pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.
- Returns:
figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.
- Return type:
Tuple[figure, LayoutDOM]
- class msticpy.vis.process_tree.TreeResult(proc_tree: DataFrame, schema: ProcSchema | None, levels: ndarray | None, n_rows: int)
Bases:
NamedTuple
Result tuple for _pre_process_tree.
Create new instance of TreeResult(proc_tree, schema, levels, n_rows)
- count(value, /)
Return number of occurrences of value.
- index(value, start=0, stop=9223372036854775807, /)
Return first index of value.
Raises ValueError if the value is not present.
- n_rows: int
Alias for field number 3
- schema: ProcSchema | None
Alias for field number 1
- msticpy.vis.process_tree.build_and_show_process_tree(data: DataFrame, schema: ProcSchema | Dict[str, Any] | None = None, output_var: str | None = None, legend_col: str | None = None, **kwargs) Tuple[figure, bokeh.models.LayoutDOM]
Build process tree from data and plot a tree.
- Parameters:
data (pd.DataFrame) – Window process creation or Linux Auditd events
schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred
output_var (str, optional) – Output variable for selected items in the tree, by default None
legend_col (str, optional) – The column used to color the tree items, by default None
kwargs (Dict[str, Any]) – Additional arguments passed to plot_process_tree
height (int, optional) – The height of the plot figure (the default is 700)
width (int, optional) – The width of the plot figure (the default is 900)
title (str, optional) – Title to display (the default is None)
hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.
pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.
- Returns:
figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.
- Return type:
Tuple[figure, LayoutDOM]
Notes
For full parameter set for process tree display see the help for plot_process_tree.
See also
- msticpy.vis.process_tree.plot_process_tree(data: DataFrame, schema: ProcSchema | Dict[str, Any] | None = None, output_var: str | None = None, legend_col: str | None = None, show_table: bool = False, **kwargs) Tuple[figure, bokeh.models.LayoutDOM]
Plot a Process Tree Visualization.
- Parameters:
data (pd.DataFrame) – DataFrame containing one or more Process Trees
schema (Union[ProcSchema, Dict[str, Any]], optional) – The column schema to use, by default None. If supplied as a dict it must include definitions for the required fields in the ProcSchema class If None, then the schema is inferred
output_var (str, optional) – Output variable for selected items in the tree, by default None
legend_col (str, optional) – The column used to color the tree items, by default None
show_table (bool) – Set to True to show a data table, by default False.
height (int, optional) – The height of the plot figure (the default is 700)
width (int, optional) – The width of the plot figure (the default is 900)
title (str, optional) – Title to display (the default is None)
hide_legend (bool, optional) – Hide the legend box, even if legend_col is specified.
pid_fmt (str, optional) – Display Process ID as ‘dec’ (decimal), ‘hex’ (hexadecimal), or ‘guid’ (string), default is ‘hex’.
- Returns:
figure - The main bokeh.plotting.figure Layout - Bokeh layout structure.
- Return type:
Tuple[figure, LayoutDOM]
- Raises:
ProcessTreeSchemaException – If the data set schema is not valid for the plot.
Notes
The output_var variable will be overwritten with any selected values.