msticpy.transform.proc_tree_build_mde module
Process tree builder routines for MDE process data.
- msticpy.transform.proc_tree_build_mde.convert_mde_schema_to_internal(data, schema, **kwargs)
Convert DeviceProcessEvents schema data to internal MDE schema.
- Parameters:
data (pd.DataFrame) – Input data in MS Sentinel schema.
schema (ProcSchema) – The mapping schema for the data set.
- Returns:
Reformatted data into MDE internal schema.
- Return type:
pd.DataFrame
- msticpy.transform.proc_tree_build_mde.extract_process_tree(data, debug=False)
Build a process tree from raw MDE process logs.
- Parameters:
data (pd.DataFrame) – DataFrame of process events.
debug (bool, optional) – Turn on additional debugging output, by default False.
- Returns:
Process tree DataFrame with child->parent keys and extracted parent processes from child data.
- Return type:
pd.DataFrame