msticpy.analysis.observationlist module

Observation summary collector.

class msticpy.analysis.observationlist.Observation(caption: str, data: Any, description: Optional[str] = None, data_type: Optional[str] = None, link: Optional[str] = None, score: int = 0, tags: List[str] = _Nothing.NOTHING, additional_properties: Dict[str, Any] = _Nothing.NOTHING, timestamp: Optional[datetime] = None, time_span: Optional[TimeSpan] = None, time_column: Optional[str] = None, filter: Optional[str] = None, schema: Optional[str] = None)

Bases: object

Observation definition.

Notes

captionstr: The title and index of the observation. Must be unique in the observation set.
descriptionOptional[str]: Text description of the observation. (default is None)
dataAny: The data to be stored for the observation (e.g. a pandas DataFrame). The object should implement a useable __repr__ to display correctly.
data_typeOptional[str]: The data type of the data property
linkOptional[str]: Link (usually a document-local link) to the originating section of the notebook. (default is None)
scoreint: The risk score associated with the observation. (default is 0)
tagsList[str]: Optional list of tags.
additional_properties Dict[str, Any]: Additional properties not covered by core properties.

Method generated by attrs for class Observation.

additional_properties: Dict[str, Any]

classmethod all_fields() → Set[str]

Return all fields of Observation class.

Returns: Set of all field names.
Return type: Set[str]

caption: str

data: Any

data_type: Optional[str]

description: Optional[str]

display(): Display the observation.

filter: Optional[str]

property filtered_data: Any: Apply filtering to data if it is a DataFrame.

link: Optional[str]

classmethod required_fields() → List[str]

Return required fields for Observation instance.

Returns: List of field names.
Return type: List[str]

schema: Optional[str]

score: int

tags: List[str]

time_column: Optional[str]

time_span: Optional[TimeSpan]

timestamp: Optional[datetime]

class msticpy.analysis.observationlist.Observations(observationlist: Optional[Observations] = None)

Bases: object

Class to collect and display investigation observations.

Create an observation list.

Parameters: observationlist (Observations, optional) – Initialize from an existing Observations list (the default is None)

add_observation(observation: Optional[Observation] = None, **kwargs)

Add an observation.

Add an observation as an Observation instance or as a set of keyword parameters (see Observation class for acceptable values). Any keyword parameters that are not properties of Observation will be stored in the Observation.additional_properties dictionary

Parameters

observation (Observation) – An observation instance.
kwargs (str, Any) – List of key value pairs of the property names and values of the Observation to be stored.

display_observations(): Display the current observations using IPython.display.

property observations: Mapping[str, Observation]

Return the current list of Observations.

Returns: The current ordered dictionary of Observations
Return type: Mapping[str, Observation]