msticpy.transform.proc_tree_schema module

Process Tree Schema module for Process Tree Visualization.

class msticpy.transform.proc_tree_schema.ColNames

Bases: object

Class to hold constant column names.

EffectiveLogonId = 'EffectiveLogonId'

EffectiveLogonId_par = 'EffectiveLogonId_par'

new_process_lc = 'new_process_lc'

new_process_lc_par = 'new_process_lc_par'

parent_key = 'parent_key'

parent_proc_lc = 'parent_proc_lc'

proc_key = 'proc_key'

source_index = 'source_index'

source_index_par = 'source_index_par'

timestamp_orig_par = 'timestamp_orig_par'

class msticpy.transform.proc_tree_schema.ProcSchema(process_name: str, process_id: str, parent_id: str, time_stamp: str, cmd_line: Optional[str] = None, path_separator: str = '\\', user_name: Optional[str] = None, logon_id: Optional[str] = None, host_name_column: Optional[str] = None, parent_name: Optional[str] = None, target_logon_id: Optional[str] = None, user_id: Optional[str] = None, event_id_column: Optional[str] = None, event_id_identifier: Optional[Any] = None)

Bases: object

Property name lookup for Process event schema.

Each property maps a generic column name on to the schema of the input data. Most of these are mandatory, some are optional - not supplying them may result in a less complete tree. The time_stamp column should be supplied although defaults to ‘TimeGenerated’.

Method generated by attrs for class ProcSchema.

classmethod blank_schema_dict() → Dict[str, Any]: Return blank schema dictionary.

cmd_line: Optional[str]

property column_map: Dict[str, str]: Return a dictionary that maps fields to schema names.

property columns: Return list of columns in schema data source.

property event_filter: Any

Return the event type/ID to process for the current schema.

Returns: The value of the event ID to process.
Return type: Any
Raises: ProcessTreeSchemaException – If the schema is not known.

event_id_column: Optional[str]

event_id_identifier: Optional[Any]

property event_type_col: str

Return the column name containing the event identifier.

Returns: The name of the event ID column.
Return type: str
Raises: ProcessTreeSchemaException – If the schema is not known.

get_df_cols(data: DataFrame): Return the subset of columns that are present in data.

property host_name: Optional[str]: Return host name column.

host_name_column: Optional[str]

logon_id: Optional[str]

parent_id: str

parent_name: Optional[str]

path_separator: str

process_id: str

process_name: str

property required_columns: Return columns required for Init.

target_logon_id: Optional[str]

time_stamp: str

user_id: Optional[str]

user_name: Optional[str]

exception msticpy.transform.proc_tree_schema.ProcessTreeSchemaException(*args, help_uri: Optional[Union[Tuple[str, str], str]] = None, **kwargs)

Bases: MsticpyUserError

Custom exception for Process Tree schema.

Create an instance of the MsticpyUserError class.

Parameters

args (Iterable of strings) – Args will be printed as text of the exception.
help_uri (Union[Tuple[str, str], str, None], optional) – Primary URL, by default “https://msticpy.readthedocs.org”
title (str, optional) – If a title keyword argument is supplied it will be used to create the title line.
*_uri (str, optional) – Additional keyword arguments who’s names end in “_uri” will be used to create a list of references in addition to the primary help_uri
display (bool, optional) – Display the exception when created. By default, False

Notes

The exception text is displayed when the exception is created and not when it is raised. We recommend creating the exception within the raise statement. E.g.

raise MsticpyUserException(arg1, arg2…)

Developer note: Any classes derived from MsticpyUserError should be named with an “Error” suffix to distinguish these from standard exception types.

DEF_HELP_URI = ('MSTICPy Process Tree documentation', 'https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html')

args

display_exception(): Output the exception HTML or text friendly exception.

property help_uri: Union[Tuple[str, str], str]: Get the default help URI.

classmethod no_display_exceptions(): Context manager to block exception display to IPython/stdout.

with_traceback(): Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.