Skip to content

Allow process tree to work with more data sources. #513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
petebryan merged 5 commits into from
Sep 20, 2022
Merged

Allow process tree to work with more data sources. #513

petebryan merged 5 commits into from
Sep 20, 2022

Conversation

@ianhelle
Copy link
Contributor

@ianhelle ianhelle commented Sep 19, 2022

  • Removed the follow columns previously marked as required: host_name, logon_id, user_name, cmd_line.
  • Added auto-coloring by level if no legend is supplied.
  • Fixed sorting so that tree and peer groups in the tree are sorted by level, then timestamp.
  • Added ability to supply schema as dictionary for vis.process_tree and transform.

Reduced required column set

This allows you to use the process tree visualization and utilities with a minimal set of data fields:

  • process_id
  • parent_id
  • process_name
  • time_stamp
    cust_schema = {
        "process_name": "ImageFileName",
        "process_id": "PID",
        "parent_id": "PPID",
        "time_stamp": "CreateTime",
    }
    df.mp_plot_process(schema=cust_schema)

Auto-coloring of tree plot

If you do not supply a legend_col parameter, the process objects will be
automatically colored by level in the hierarchy.
Proctree-default-color

Processes are correctly sorted by process time

path ImageFileName CreateTime
proc_key
registry|88|2021-04-01 05:04:54.000000 116/0 Registry 2021-04-01 05:04:54+00:00
system|4|2021-04-01 05:04:58.000000 117/1 System 2021-04-01 05:04:58+00:00
smss.exe|404|2021-04-01 05:04:58.000000 117/1/2 smss.exe 2021-04-01 05:04:58+00:00
csrss.exe|640|2021-04-01 05:05:00.000000 118/3 csrss.exe 2021-04-01 05:05:00+00:00
winlogon.exe|700|2021-04-01 05:05:00.000000 118/4 winlogon.exe 2021-04-01 05:05:00+00:00
dwm.exe|1028|2021-04-01 05:05:02.000000 118/4/17 dwm.exe 2021-04-01 05:05:02+00:00
logonui.exe|512|2021-04-01 05:05:02.000000 118/4/21 LogonUI.exe 2021-04-01 05:05:02+00:00
fontdrvhost.ex|960|2021-04-01 05:05:01.000000 118/4/7 fontdrvhost.ex 2021-04-01 05:05:01+00:00
wininit.exe|632|2021-04-01 05:05:00.000000 119/5 wininit.exe 2021-04-01 05:05:00+00:00
lsass.exe|776|2021-04-01 05:05:01.000000 119/5/10 lsass.exe 2021-04-01 05:05:01+00:00

mp_plot.process_tree and mp.build_process_tree support schema as dictionary

Previously these accessors and the underlying functions plot_process_tree and
build_process_tree would only accept msticpy.transform.process_tree_schema.ProcSchema
instances. These will now accept dictionaries with at least the minimum required
attributes as keys.

@ianhelle
Removed the follow columns as required: host_name, logon_id, user_nam…
fb35041 
…e, cmd_line

Added auto-coloring by level if no legend is supplied.
Fixed sorting so that tree and peer groups in the tree are sorted by level, then timestamp
@ianhelle
Adding some fixes:
71d565f 
- adding function to create minimal schema dict to proc_tree_schema.py
- adding ability to supply schema as dict in process_tree.py, proc_tree_builder.py
- fixed mapping fields supplied in kwargs (for things like legend_col) if using MDE (that does internal schema translation)
- Swapped namedtuple for typing.NamedTuple to support typed members
This was linked to issues Sep 19, 2022
expected order of processes in process_tree #500
Closed
Generating process tree using alternative data source #446
Closed
@ianhelle ianhelle removed a link to an issue Sep 19, 2022
expected order of processes in process_tree #500
Closed
@ianhelle ianhelle linked an issue Sep 19, 2022 that may be closed by this pull request
expected order of processes in process_tree #500
Closed
@ianhelle ianhelle mentioned this pull request Sep 19, 2022
Closed
@ianhelle ianhelle added this to the Release 2.1.3 milestone Sep 20, 2022
@petebryan petebryan merged commit 7debb6e into main Sep 20, 2022
@petebryan petebryan deleted the ianhelle/proc_tree_fixes-2022-09-16 branch September 20, 2022 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petebryan petebryan petebryan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 2.1.3

Development

Successfully merging this pull request may close these issues.

expected order of processes in process_tree Generating process tree using alternative data source

3 participants

@ianhelle @petebryan