Fixing some documentation omissions/errors (#52)

docs/source/Visualization.rst

@@ -9,3 +9,4 @@ Displaying/Visualizing Data
    visualization/ProcessTree
    visualization/NotebookWidgets
    visualization/FoliumMap
+   visualization/TimeSeriesAnomalies

docs/source/data_acquisition/AzureData.rst

@@ -433,12 +433,13 @@ Get Azure Network Details
 
 See :py:meth:`get_network_details <msticpy.data.azure_data.AzureData.get_network_details>`
 
-If your Azure resources has a network interface associated with it (for example a VM) you can return details on the 
+If your Azure resources has a network interface associated with it (for example a VM) you can return details on the
 interface as associated Network Security Group (NSG). Calling this function is very similar to getting resource details
-however instead of passing it a resource ID you provide the network interface ID for the network device you want details 
+however instead of passing it a resource ID you provide the network interface ID for the network device you want details
 for.
 
 .. code:: ipython3
+
     az.get_network_details(networkID=NETWORK_INTERFACE_ID, sub_id=SUBSCRIPTION_ID)
 
 .. note:: If youa are looking for a VM network interface ID you can use get_resource_details to get details on the VM.
@@ -452,21 +453,22 @@ Get Azure Metrics
 
 See :py:meth:`get_metrics <msticpy.data.azure_data.AzureData.get_metrics>`
 
-Azure provides a range of metrics for resources. The types of metrics avaliable depends on the Azure resource in question, 
+Azure provides a range of metrics for resources. The types of metrics avaliable depends on the Azure resource in question,
 a full list of metrics can be found `here <https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported>`__.
- 
+
 You can return all of these metrics with get_metrics.
 
 In order to call this function you need to provide the metrics you want to retrieve in a comma seperated string
-e.g. ""Percentage CPU,Disk Read Bytes,Disk Write Bytes", along with the resource ID of the item you wish to retreive 
-the metrics for, and the subscription ID that resource is part of. You can also choose to get the metrics sampled 
-at either the minute or the hour interval, and for how many days preceeding you want metrics for. By default the 
+e.g. ""Percentage CPU,Disk Read Bytes,Disk Write Bytes", along with the resource ID of the item you wish to retreive
+the metrics for, and the subscription ID that resource is part of. You can also choose to get the metrics sampled
+at either the minute or the hour interval, and for how many days preceeding you want metrics for. By default the
 function returns hourly metrics for the last 30 days.
 
 .. code:: ipython3
+
     az.get_metrics(metrics="Percentage CPU", resource_id=resource_details['resource_id'], sub_id=sub_details['Subscription ID'], sample_time="hour", start_time=15)
 
-This returns a dictionary of items with the metric name as they key and a DataFrame of the metrics as the value. 
+This returns a dictionary of items with the metric name as they key and a DataFrame of the metrics as the value.
 
-.. note:: get_metrics is resource specific, so if you want to get metrics from more than one resource you will need 
+.. note:: get_metrics is resource specific, so if you want to get metrics from more than one resource you will need
     seperate function calls.

docs/source/data_analysis/IoCExtract.rst

@@ -450,6 +450,7 @@ add_ioc_type parameters:
     </table>
     </div>
     <br>
+
 extract_df()
 ~~~~~~~~~~~~
 
@@ -492,205 +493,16 @@ to match the type of your index column.
 
 
 
+====  ====================================  ==========================  =========  =======================  ===============  ============================================  =================  ===================  ================  ==============  ===================================  ====================  ===========  ==================================================================  ===========================  ===============  ====================================  =======================  ==========  =======  ============  ===============  =========  ============  =============
+  ..  TenantId                              Account                       EventID  TimeGenerated            Computer         SubjectUserSid                                SubjectUserName    SubjectDomainName    SubjectLogonId    NewProcessId    NewProcessName                       TokenElevationType    ProcessId    CommandLine                                                         ParentProcessName            TargetLogonId    SourceComputerId                      TimeCreatedUtc           NodeRole      Level    ProcessId1    NewProcessId1    IoCType    Observable    SourceIndex
+====  ====================================  ==========================  =========  =======================  ===============  ============================================  =================  ===================  ================  ==============  ===================================  ====================  ===========  ==================================================================  ===========================  ===============  ====================================  =======================  ==========  =======  ============  ===============  =========  ============  =============
+   0  802d39e1-9d70-404d-832c-2de5e2478eda  MSTICAlertsWin1\MSTICAdmin       4688  2019-01-15 05:15:15.677  MSTICAlertsWin1  S-1-5-21-996632719-2361334927-4038480536-500  MSTICAdmin         MSTICAlertsWin1      0xfaac27          0x1580          C:\Diagnostics\UserTmp\ftp.exe       %%1936                0xbc8        .\ftp  -s:C:\RECYCLER\xxppyy.exe                                    C:\Windows\System32\cmd.exe  0x0              46fe7078-61bb-4bed-9430-7ac01d91c273  2019-01-15 05:15:15.677  source            0           nan              nan        nan           nan              0
+   1  802d39e1-9d70-404d-832c-2de5e2478eda  MSTICAlertsWin1\MSTICAdmin       4688  2019-01-15 05:15:16.167  MSTICAlertsWin1  S-1-5-21-996632719-2361334927-4038480536-500  MSTICAdmin         MSTICAlertsWin1      0xfaac27          0x16fc          C:\Diagnostics\UserTmp\reg.exe       %%1936                0xbc8        .\reg  not /domain:everything that /sid:shines is /krbtgt:golden !  C:\Windows\System32\cmd.exe  0x0              46fe7078-61bb-4bed-9430-7ac01d91c273  2019-01-15 05:15:16.167  sibling           1           nan              nan        nan           nan              1
+   2  802d39e1-9d70-404d-832c-2de5e2478eda  MSTICAlertsWin1\MSTICAdmin       4688  2019-01-15 05:15:16.277  MSTICAlertsWin1  S-1-5-21-996632719-2361334927-4038480536-500  MSTICAdmin         MSTICAlertsWin1      0xfaac27          0x1700          C:\Diagnostics\UserTmp\cmd.exe       %%1936                0xbc8        cmd  /c "systeminfo && systeminfo"                                  C:\Windows\System32\cmd.exe  0x0              46fe7078-61bb-4bed-9430-7ac01d91c273  2019-01-15 05:15:16.277  sibling           1           nan              nan        nan           nan              2
+   3  802d39e1-9d70-404d-832c-2de5e2478eda  MSTICAlertsWin1\MSTICAdmin       4688  2019-01-15 05:15:16.340  MSTICAlertsWin1  S-1-5-21-996632719-2361334927-4038480536-500  MSTICAdmin         MSTICAlertsWin1      0xfaac27          0x1728          C:\Diagnostics\UserTmp\rundll32.exe  %%1936                0xbc8        .\rundll32  /C 12345.exe                                            C:\Windows\System32\cmd.exe  0x0              46fe7078-61bb-4bed-9430-7ac01d91c273  2019-01-15 05:15:16.340  sibling           1           nan              nan        nan           nan              3
+   4  802d39e1-9d70-404d-832c-2de5e2478eda  MSTICAlertsWin1\MSTICAdmin       4688  2019-01-15 05:15:16.400  MSTICAlertsWin1  S-1-5-21-996632719-2361334927-4038480536-500  MSTICAdmin         MSTICAlertsWin1      0xfaac27          0x175c          C:\Diagnostics\UserTmp\rundll32.exe  %%1936                0xbc8        .\rundll32  /C c:\users\MSTICAdmin\12345.exe                        C:\Windows\System32\cmd.exe  0x0              46fe7078-61bb-4bed-9430-7ac01d91c273  2019-01-15 05:15:16.400  sibling           1           nan              nan        nan           nan              4
+====  ====================================  ==========================  =========  =======================  ===============  ============================================  =================  ===================  ================  ==============  ===================================  ====================  ===========  ==================================================================  ===========================  ===============  ====================================  =======================  ==========  =======  ============  ===============  =========  ============  =============
 
-.. raw:: html
-
-    <div>
-    <style scoped>
-        .dataframe tbody tr th:only-of-type {
-            vertical-align: middle;
-        }
-
-        .dataframe tbody tr th {
-            vertical-align: top;
-        }
-
-        .dataframe thead th {
-            text-align: right;
-        }
-    </style>
-    <table border="1" class="dataframe">
-      <thead>
-        <tr style="text-align: right;">
-          <th></th>
-          <th>Unnamed: 0</th>
-          <th>TenantId</th>
-          <th>Account</th>
-          <th>EventID</th>
-          <th>TimeGenerated</th>
-          <th>Computer</th>
-          <th>SubjectUserSid</th>
-          <th>SubjectUserName</th>
-          <th>SubjectDomainName</th>
-          <th>SubjectLogonId</th>
-          <th>NewProcessId</th>
-          <th>NewProcessName</th>
-          <th>TokenElevationType</th>
-          <th>ProcessId</th>
-          <th>CommandLine</th>
-          <th>ParentProcessName</th>
-          <th>TargetLogonId</th>
-          <th>SourceComputerId</th>
-          <th>TimeCreatedUtc</th>
-          <th>NodeRole</th>
-          <th>Level</th>
-          <th>ProcessId1</th>
-          <th>NewProcessId1</th>
-          <th>IoCType</th>
-          <th>Observable</th>
-          <th>SourceIndex</th>
-        </tr>
-      </thead>
-      <tbody>
-        <tr>
-          <th>0</th>
-          <td>0</td>
-          <td>802d39e1-9d70-404d-832c-2de5e2478eda</td>
-          <td>MSTICAlertsWin1\MSTICAdmin</td>
-          <td>4688</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>MSTICAlertsWin1</td>
-          <td>S-1-5-21-996632719-2361334927-4038480536-500</td>
-          <td>MSTICAdmin</td>
-          <td>MSTICAlertsWin1</td>
-          <td>0xfaac27</td>
-          <td>0x1580</td>
-          <td>C:\Diagnostics\UserTmp\ftp.exe</td>
-          <td>%%1936</td>
-          <td>0xbc8</td>
-          <td>.\ftp  -s:C:\RECYCLER\xxppyy.exe</td>
-          <td>C:\Windows\System32\cmd.exe</td>
-          <td>0x0</td>
-          <td>46fe7078-61bb-4bed-9430-7ac01d91c273</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>source</td>
-          <td>0</td>
-          <td>NaN</td>
-          <td>NaN</td>
-          <td>windows_path</td>
-          <td>C:\Diagnostics\UserTmp\ftp.exe</td>
-          <td>0</td>
-        </tr>
-        <tr>
-          <th>1</th>
-          <td>0</td>
-          <td>802d39e1-9d70-404d-832c-2de5e2478eda</td>
-          <td>MSTICAlertsWin1\MSTICAdmin</td>
-          <td>4688</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>MSTICAlertsWin1</td>
-          <td>S-1-5-21-996632719-2361334927-4038480536-500</td>
-          <td>MSTICAdmin</td>
-          <td>MSTICAlertsWin1</td>
-          <td>0xfaac27</td>
-          <td>0x1580</td>
-          <td>C:\Diagnostics\UserTmp\ftp.exe</td>
-          <td>%%1936</td>
-          <td>0xbc8</td>
-          <td>.\ftp  -s:C:\RECYCLER\xxppyy.exe</td>
-          <td>C:\Windows\System32\cmd.exe</td>
-          <td>0x0</td>
-          <td>46fe7078-61bb-4bed-9430-7ac01d91c273</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>source</td>
-          <td>0</td>
-          <td>NaN</td>
-          <td>NaN</td>
-          <td>windows_path</td>
-          <td>C:\RECYCLER\xxppyy.exe</td>
-          <td>0</td>
-        </tr>
-        <tr>
-          <th>2</th>
-          <td>0</td>
-          <td>802d39e1-9d70-404d-832c-2de5e2478eda</td>
-          <td>MSTICAlertsWin1\MSTICAdmin</td>
-          <td>4688</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>MSTICAlertsWin1</td>
-          <td>S-1-5-21-996632719-2361334927-4038480536-500</td>
-          <td>MSTICAdmin</td>
-          <td>MSTICAlertsWin1</td>
-          <td>0xfaac27</td>
-          <td>0x1580</td>
-          <td>C:\Diagnostics\UserTmp\ftp.exe</td>
-          <td>%%1936</td>
-          <td>0xbc8</td>
-          <td>.\ftp  -s:C:\RECYCLER\xxppyy.exe</td>
-          <td>C:\Windows\System32\cmd.exe</td>
-          <td>0x0</td>
-          <td>46fe7078-61bb-4bed-9430-7ac01d91c273</td>
-          <td>2019-01-15 05:15:15.677</td>
-          <td>source</td>
-          <td>0</td>
-          <td>NaN</td>
-          <td>NaN</td>
-          <td>windows_path</td>
-          <td>.\ftp</td>
-          <td>0</td>
-        </tr>
-        <tr>
-          <th>3</th>
-          <td>1</td>
-          <td>802d39e1-9d70-404d-832c-2de5e2478eda</td>
-          <td>MSTICAlertsWin1\MSTICAdmin</td>
-          <td>4688</td>
-          <td>2019-01-15 05:15:16.167</td>
-          <td>MSTICAlertsWin1</td>
-          <td>S-1-5-21-996632719-2361334927-4038480536-500</td>
-          <td>MSTICAdmin</td>
-          <td>MSTICAlertsWin1</td>
-          <td>0xfaac27</td>
-          <td>0x16fc</td>
-          <td>C:\Diagnostics\UserTmp\reg.exe</td>
-          <td>%%1936</td>
-          <td>0xbc8</td>
-          <td>.\reg  not /domain:everything that /sid:shines is /krbtgt:golden !</td>
-          <td>C:\Windows\System32\cmd.exe</td>
-          <td>0x0</td>
-          <td>46fe7078-61bb-4bed-9430-7ac01d91c273</td>
-          <td>2019-01-15 05:15:16.167</td>
-          <td>sibling</td>
-          <td>1</td>
-          <td>NaN</td>
-          <td>NaN</td>
-          <td>windows_path</td>
-          <td>C:\Diagnostics\UserTmp\reg.exe</td>
-          <td>1</td>
-        </tr>
-        <tr>
-          <th>4</th>
-          <td>1</td>
-          <td>802d39e1-9d70-404d-832c-2de5e2478eda</td>
-          <td>MSTICAlertsWin1\MSTICAdmin</td>
-          <td>4688</td>
-          <td>2019-01-15 05:15:16.167</td>
-          <td>MSTICAlertsWin1</td>
-          <td>S-1-5-21-996632719-2361334927-4038480536-500</td>
-          <td>MSTICAdmin</td>
-          <td>MSTICAlertsWin1</td>
-          <td>0xfaac27</td>
-          <td>0x16fc</td>
-          <td>C:\Diagnostics\UserTmp\reg.exe</td>
-          <td>%%1936</td>
-          <td>0xbc8</td>
-          <td>.\reg  not /domain:everything that /sid:shines is /krbtgt:golden !</td>
-          <td>C:\Windows\System32\cmd.exe</td>
-          <td>0x0</td>
-          <td>46fe7078-61bb-4bed-9430-7ac01d91c273</td>
-          <td>2019-01-15 05:15:16.167</td>
-          <td>sibling</td>
-          <td>1</td>
-          <td>NaN</td>
-          <td>NaN</td>
-          <td>windows_path</td>
-          <td>.\reg</td>
-          <td>1</td>
-        </tr>
-      </tbody>
-    </table>
-    </div>
-    <br>
 
 
 IPython magic

docs/source/getting_started/msticpyconfig.rst

@@ -38,7 +38,7 @@ This section is similar to the TIProviders section, allowing you
 specify configuration options for other data providers.
 
 Key Vault
-~~~~~~~~
+~~~~~~~~~
 This section contains Azure Key Vault settings. This is only used if you
 choose to store secrets (e.g. API keys) in Key Vault.
 

docs/source/msticpy.common.rst

@@ -1,6 +1,6 @@
 
-msticpy.data package
-====================
+msticpy.common package
+======================
 
 Submodules
 ----------
@@ -29,10 +29,10 @@ msticpy.common.keyvault\_client module
     :undoc-members:
     :show-inheritance:
 
-msticpy.common.secrets\_client module
--------------------------------------
+msticpy.common.secret\_settings module
+---------------------------------------
 
-.. automodule:: msticpy.common.secrets_client
+.. automodule:: msticpy.common.secret_settings
     :members:
     :undoc-members:
     :show-inheritance:

docs/source/msticpy.nbtools.rst

@@ -44,6 +44,14 @@ msticpy.nbtools.process_tree module
     :undoc-members:
     :show-inheritance:
 
+msticpy.nbtools.timeseries module
+---------------------------------
+
+.. automodule:: msticpy.nbtools.timeseries
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
 msticpy.nbtools.timeline module
 -------------------------------
 

msticpy/common/keyvault_client.py

@@ -62,16 +62,17 @@ class KeyVaultSettings:
     Notes
     -----
     The KeyVault section in msticpyconfig.yaml can contain
-    the following:
-    `KeyVault:
-        TenantId: {tenantid-to-use-for-authentication}
-        SubscriptionId: {subscriptionid-containing-vault}
-        ResourceGroup: {resource-group-containing-vault}
-        AzureRegion: {region-for-vault}
-        VaultName: {vault-name}
-        UseKeyring: True
-        Authority: global
-    `
+    the following::
+
+        KeyVault:
+            TenantId: {tenantid-to-use-for-authentication}
+            SubscriptionId: {subscriptionid-containing-vault}
+            ResourceGroup: {resource-group-containing-vault}
+            AzureRegion: {region-for-vault}
+            VaultName: {vault-name}
+            UseKeyring: True
+            Authority: global
+
     `SubscriptionId`, `ResourceGroup` and `AzureRegion` are only
     used when creating new vaults.
     `UseKeyring` instructs the `SecretsClient` to cache Keyvault

msticpy/sectools/base64unpack.py

@@ -898,22 +898,22 @@ def extract(self, column, **kwargs) -> pd.DataFrame:
         The columns of the output DataFrame are:
 
         - decoded string: this is the input string with any decoded sections
-        replaced by the results of the decoding
+          replaced by the results of the decoding
         - reference : this is an index that matches an index number in the
-        decoded string (e.g. <<encoded binary type=pdf index=1.2').
+          decoded string (e.g. <<encoded binary type=pdf index=1.2').
         - original_string : the string prior to decoding - file_type : the type
-        of file if this could be determined
+          of file if this could be determined
         - file_hashes : a dictionary of hashes (the md5, sha1 and sha256 hashes
-        are broken out into separate columns)
+          are broken out into separate columns)
         - input_bytes : the binary image as a byte array
         - decoded_string : printable form of the decoded string (either string
-        or list of hex byte values)
+          or list of hex byte values)
         - encoding_type : utf-8, utf-16 or binary
         - md5, sha1, sha256 : the respective hashes of the binary file_type,
-        file_hashes, input_bytes, md5, sha1, sha256 will be null if this item is
-        decoded to a string
+          file_hashes, input_bytes, md5, sha1, sha256 will be null if this item is
+          decoded to a string
         - src_index - the index of the source row in the input
-        frame.
+          frame.
 
         """
         return unpack_df(data=self._df, column=column, **kwargs)