# JOINing Osquery tables using graphing techniques
-----------------------------------------
* **Notebook Author:** Sevickson Kwidama 
    * [Twitter](https://twitter.com/SKwid345)
    * [LinkedIn](https://nl.linkedin.com/in/sevickson)
    * [Blog](https://medium.com/@sevickson) # change when blog posted

### Install and Upgrade `pip` packages if needed
I start by getting the needed dependencies if any, only need to be run once

In [None]:
!pip install --upgrade --user pip
!pip install --user pyvis

### Import modules in this Jupyter Notebook
Requirements:
- Python >= 3.6

In [1]:
#standard modules to use and manipulate dataframes
import numpy as np
import pandas as pd
#to download from osquery repository and unzip
import requests, zipfile, io
#pathlib to run code against locations on disk
import pathlib
#re for regular expresion based extracts
import re
#module to copy a value a in a dataframe, didnt find an easier way
from itertools import cycle
#below modules to create the graphs and computations on the graphs
import networkx as nx
import matplotlib.pyplot as plt
from pyvis.network import Network
#for the select box
#import ipywidgets as wi
from ipywidgets import interact#, interact_manual

### Dataframe Display Formatting
If I need to expand the DataFrames for viewing

In [None]:
pd.set_option('display.max_rows', 50)
pd.set_option('display.max_colwidth', -1)
pd.set_option('display.max_columns', None)

# INGEST AND MANIPULATE DATA
-----------------------------------------

### Download the latest zip and extract only the tables folder

In [4]:
#Based on https://twitter.com/curi0usJack/status/1255702362225811457?s=20
#get the API data of the latest release
url_github_latest = "https://api.github.com/repos/osquery/osquery/releases/latest"
response = requests.get(url_github_latest).json() 
dir_tables = 'osquery-tables'
p = pathlib.Path(dir_tables)
  
#response was in json and put in dict so can be called easily
url_github_dl = response['zipball_url']

#get zipped content and unzip
github_content = requests.get(url_github_dl, stream=True)
zippedcontent = zipfile.ZipFile(io.BytesIO(github_content.content))
listOfFileNames = zippedcontent.namelist()

# Iterate over the file names
for fileName in listOfFileNames:
    #extract all files in the specs folder, here are the tables and cmakelist file needed for later
    if 'specs/' in fileName:
       # Extract single file from zip each time
        zippedcontent.extract(fileName, dir_tables)

### Extract table names and columns from the Osquery table files

In [5]:
def osquery_table_extract(dir_tables):#(dir_git):
    table_columns = []
    for path in p.rglob("*.table"):
        if path.is_file() and 'example' not in path.stem:
            cf = open(path, "r", encoding="utf-8").read()
            tline = re.findall(r'table_name\(\"(\w+)\".*\)',cf)
            #below line is used to find all columns that do not have attribute hidden=True
            clines = re.findall(r'Column\(\"(\w+?)\".+?(\n)?.+? (?!hidden=True)\S+\),$',cf,re.M)
            #regex returns tuples because of the multiline matching so with list comprehesion turning it back in a list
            clines = [i[0] for i in clines]
            tcList =  list(zip(cycle(tline),clines))
        table_columns.append(tcList)
    return(table_columns)

Get all data from function and put in DF.

In [6]:
extract = osquery_table_extract(dir_tables)
extract_df = pd.DataFrame([t for lst in extract for t in lst], columns = ['Table','Column'])

#Check count of tables to be sure all have been processed.
#Difference in count table names against osquery website, I filtered out example.table as it is just an example table.
#print('Tables', extract_df.Table.nunique())
extract_df

Unnamed: 0,Table,Column
0,arp_cache,address
1,arp_cache,mac
2,arp_cache,interface
3,arp_cache,permanent
4,atom_packages,name
...,...,...
2110,yara_events,matches
2111,yara_events,count
2112,yara_events,strings
2113,yara_events,tags


### Add OS to table based on cMakelists file

Keep working on crashes vs windows_crashes issue otherwise workaround change the data manually

In [7]:
def osquery_table_os(tname):
    tname_cmake = 0
    for path in p.rglob("cMakelists.txt"):
        with open(path, 'r') as read_obj:
            for line in read_obj:
                if tname in line:
                    if '/' in line:
                        #used to delete part of string that can give double matches bases on tables names that have same start or end.
                        tname_cmake = re.search( r'^.*/(.*)$', line, re.M|re.I).group(1)
                    else:
                        tname_cmake = line.strip()
    return(tname_cmake)

In [8]:
tname_list = []
for tname in extract_df['Table']:
    table_os = osquery_table_os(tname)
    if ':' in str(table_os):
        t_os = re.search(r'^.+?:(.+?)"$', table_os, re.M|re.I).group(1)
        tname_list.append(t_os)
    elif '0' in str(table_os):
        #not in the cmake list file but on the website so manually add the OS
        t_os = 'no_os'
        tname_list.append(t_os)
    else:
        t_os = 'linux,macos,freebsd,windows'
        tname_list.append(t_os)
    
extract_df_os = extract_df
extract_df_os['OS'] = tname_list 
extract_df_os

Unnamed: 0,Table,Column,OS
0,arp_cache,address,"linux,macos,windows"
1,arp_cache,mac,"linux,macos,windows"
2,arp_cache,interface,"linux,macos,windows"
3,arp_cache,permanent,"linux,macos,windows"
4,atom_packages,name,"linux,macos"
...,...,...,...
2110,yara_events,matches,"linux,macos"
2111,yara_events,count,"linux,macos"
2112,yara_events,strings,"linux,macos"
2113,yara_events,tags,"linux,macos"


Workaround for issue that some tables did not get the correct OS assignment, fix this later in the re.search in the osquery_table_os function.  
Tables that have no_os need manual assignment too.
Issue seems to be if another table contains a part of the name of one of the prior tables it takes the value from the last table, so matching is not specific enough.

In [9]:
extract_df_os.loc[extract_df_os.Table == 'crashes', 'OS'] = 'macos'
extract_df_os.loc[extract_df_os.Table == 'azure_instance_metadata', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'azure_instance_tags', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'wifi_survey', 'OS'] = 'macos'
extract_df_os.loc[extract_df_os.Table == 'processes', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'groups', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'hash', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'time', 'OS'] = 'linux,macos,freebsd,windows'
extract_df_os.loc[extract_df_os.Table == 'certificates', 'OS'] = 'macos,windows'


#to check if there are any no_os from the CmakeLists file, if so make the changes manually based on osquery schema website
#if output below is empty is good
extract_df_os.loc[extract_df_os.OS == 'no_os']

Unnamed: 0,Table,Column,OS


In [None]:
extract_df_os.loc[extract_df_os['Table'] == 'logon_sessions']

### Create separate dataframes based on OS

In [11]:
#Windows
windows_df = extract_df_os.loc[pd.np.where(extract_df_os.OS.str.contains("windows"))]

#Linux
linux_df = extract_df_os.loc[pd.np.where(extract_df_os.OS.str.contains("linux"))]

#macOS
macos_df = extract_df_os.loc[pd.np.where(extract_df_os.OS.str.contains("macos"))]

#FreeBSD
freebsd_df = extract_df_os.loc[pd.np.where(extract_df_os.OS.str.contains("freebsd"))]

#windows_df.tail(10)
#windows_df.Table.nunique()

# GRAPHS

### Function to create the graph and all its properties 

In [12]:
def create_OS_graph(df_OS):
    #create nx node graph form dataframe
    G = nx.from_pandas_edgelist(df=df_OS, source='Table', target='Column')
    #initiliaze lists to use for append
    colors = []
    sizes = []
    selected_nodes_list = []
    selected_nodes_list_H = []
    
    #calculate all degrees of separation for the nodes, so how many connection does each node have
    degree = nx.degree(G)

    #iterate through nodes, if node in Table column than check if node has connections, if so add to list, if no connections discard.
    #if node not in Table list than it would be in the Column table and if has more than 1 connection than at to list
    for node in G:
        if node in df_OS.Table.values:
            if (degree(node) > 0):
                #print('Table ' + node + ' ' + str(degree(node)))
                selected_nodes_list.append(node)
        else: 
            #column has always at least connection to it's own table that is why need to check for more than 1 connection
            if (degree(node) > 1):
                #print('Column ' + node + ' ' + str(degree(node)))
                selected_nodes_list.append(node)

    #create subgraph based on filtering above
    H = G.subgraph(selected_nodes_list)
    degree_H = nx.degree(H)

    #run the same logic as above to filter out tables and columns that were left after removals above
    #also add color dependent on column and size dependent on how many connections
    for node in H:
        if node in df_OS.Table.values:
            if (degree_H(node) == 1):
                #print('Table ' + node + ' ' + str(degree_H(node)))
                selected_nodes_list_H.append(node)
                colors.append("orange") #lightblue
                sizes.append(300)
            elif (degree_H(node) > 1):
                selected_nodes_list_H.append(node)
                colors.append("lightgreen")
                sizes.append(H.degree(node) * 700)
        else: 
            if (degree_H(node) > 1):
                #print('Column ' + node + ' ' + str(degree_H(node)))
                selected_nodes_list_H.append(node)
                colors.append("red")
                sizes.append(H.degree(node) * 1000)

    I = H.subgraph(selected_nodes_list_H)
    return(I, colors, sizes, selected_nodes_list_H)

Check the most common `Columns` to filter out common names that will not be able to JOIN.  
Used below to start creating the ignore_list, finished it visually checking the paths.  
Create ignore list per OS

In [None]:
column_count = extract_df['Column'].value_counts()
column_for_joins = column_count[column_count > 1]
column_for_joins.head(10)

### ALL GRAPH

In [None]:
OS_graph, colors, sizes, nodelist = create_OS_graph(extract_df_os)

#print(OS_graph.number_of_nodes())
#print(OS_graph.number_of_edges())

gr=Network(height=800, width=1200, notebook=True, bgcolor="#222222", font_color="white")
gr.add_nodes(nodelist, value=sizes, title=nodelist, color=colors)
gr.barnes_hut()
gr.from_nx(OS_graph)
gr.show("graphs/osquery_tables_OS_ALL_graph.html")

### Windows Graph

In [15]:
#ignore_list to filter out Columns of no interest later on before creating the graph
ignore_list_w = ['name','path','type','version','size','version','description','status','state','label','class','source','device','mode','value','result','hardware_model','manufacturer','query','model','device_id','action','script_text','time','enabled',
               'date','caption','publisher','active','autoupdate','flags','comment','data','registry','author','directory','license','summary','permissions'] 
#maybe filter out key? not same meaning in all tables
#path can be used for some good joins but too noisy for now example http://www.osdfcon.org/presentations/2016/Facebook-osquery.pdf

In [49]:
windows_df_filtered = windows_df[~windows_df['Column'].isin(ignore_list_w)]
OS_graph, colors, sizes, nodelist = create_OS_graph(windows_df_filtered)

print('Nodes:', OS_graph.number_of_nodes(), 'Edges:', OS_graph.number_of_edges())

gr=Network(height=800, width=1200, notebook=True, bgcolor="#222222", font_color="white")
gr.add_nodes(nodelist, value=sizes, title=nodelist, color=colors)
gr.barnes_hut()
gr.from_nx(OS_graph)
gr.show("graphs/osquery_tables_OS_win_graph.html")

Nodes: 104 Edges: 128


### Determine shortest paths from table A to table B

In [13]:
def shortest_path(df_OS,s,t):
    P = nx.from_pandas_edgelist(df=df_OS, source='Table', target='Column')
    path_list = []
    colors_sp = []
    sizes_sp = []
    if nx.has_path(P, s, t):
        path_list = nx.shortest_path(P, source=s, target=t) 
    else:
        print('No path available.')
    
    Q = P.subgraph(path_list)
    degree_Q = nx.degree(Q)
    
    for node in path_list:
        if node in df_OS.Table.values:
            if (degree_Q(node) == 1):
                colors_sp.append("orange")
                sizes_sp.append(300)
            elif (degree_Q(node) > 1):
                colors_sp.append("lightgreen")
                sizes_sp.append(Q.degree(node) * 700)
        else: 
                colors_sp.append("red")
                sizes_sp.append(Q.degree(node) * 1000)

    return (Q, path_list, colors_sp, sizes_sp)

In [48]:
windows_df_filtered_tb = windows_df[~windows_df['Column'].isin(ignore_list_w)].sort_values('Table')

@interact
def corr_graph(Source=list(windows_df_filtered_tb.Table.unique()), Destination=list(windows_df_filtered_tb.Table.unique())):
    sp_graph, sp_list, sp_colors, sp_sizes = shortest_path(windows_df_filtered_tb,Source,Destination)  
    #print(len(sp_list))
    #sp_list.len()
    if sp_list is not None and len(sp_list) > 1:
        print(sp_list,sp_sizes,sp_colors)
        sp_gr=Network(notebook=True, bgcolor="#222222", font_color="white")
        sp_gr.add_nodes(sp_list, value=sp_sizes, title=sp_list, color=sp_colors)
        sp_gr.barnes_hut()
        sp_gr.from_nx(sp_graph)
        return(sp_gr.show("graphs/shortest_path_graph.html"))

interactive(children=(Dropdown(description='Source', options=('appcompat_shims', 'arp_cache', 'authenticode', …

-----------------------------------------
# TODO - WIP

### Linux Graph

In [None]:
#ignore_list to filter out Columns of no interest later on before creating the graph
ignore_list_l = ['name','path','type','version','size','version','description','status','state','label','class','source','device','mode','value','result','hardware_model','manufacturer','query','model','device_id','action','script_text','time','enabled',
               'date','caption','publisher','active','autoupdate','flags','comment','data','registry','author','directory','license','summary','permissions'] 

In [None]:
linux_df_filtered = linux_df[~linux_df['Column'].isin(ignore_list_l)]
OS_graph, colors, sizes, nodelist = create_OS_graph(linux_df_filtered)

print('Nodes:', OS_graph.number_of_nodes(), 'Edges:', OS_graph.number_of_edges())

gr=Network(height=800, width=1000, notebook=True, bgcolor="#222222", font_color="white")
gr.add_nodes(nodelist, value=sizes, title=nodelist, color=colors)
gr.barnes_hut()
gr.from_nx(OS_graph)
gr.show("graphs/osquery_tables_OS_lin_graph.html")

### macOS Graph

In [None]:
#ignore_list to filter out Columns of no interest later on before creating the graph
ignore_list_m = ['name','path','type','version','size','version','description','status','state','label','class','source','device','mode','value','result','hardware_model','manufacturer','query','model','device_id','action','script_text','time','enabled',
               'date','caption','publisher','active','autoupdate','flags','comment','data','registry','author','directory','license','summary','permissions'] 

In [None]:
macos_df_filtered = macos_df[~macos_df['Column'].isin(ignore_list_m)]

OS_graph, colors, sizes, nodelist = create_OS_graph(macos_df_filtered)

print('Nodes:', OS_graph.number_of_nodes(), 'Edges:', OS_graph.number_of_edges())

gr=Network(height=800, width=1000, notebook=True, bgcolor="#222222", font_color="white")
gr.add_nodes(nodelist, value=sizes, title=nodelist, color=colors)
gr.barnes_hut()
gr.from_nx(OS_graph)
gr.show("graphs/osquery_tables_OS_mac_graph.html")

### FreeBSD Graph

In [None]:
#ignore_list to filter out Columns of no interest later on before creating the graph
ignore_list_f = ['name','path','type','version','size','version','description','status','state','label','class','source','device','mode','value','result','hardware_model','manufacturer','query','model','device_id','action','script_text','time','enabled',
               'date','caption','publisher','active','autoupdate','flags','comment','data','registry','author','directory','license','summary','permissions'] 

In [None]:
freebsd_df_filtered = freebsd_df[~freebsd_df['Column'].isin(ignore_list_f)]

OS_graph, colors, sizes, nodelist = create_OS_graph(freebsd_df_filtered)

print('Nodes:', OS_graph.number_of_nodes(), 'Edges:', OS_graph.number_of_edges())

gr=Network(height=800, width=1000, notebook=True, bgcolor="#222222", font_color="white")
gr.add_nodes(nodelist, value=sizes, title=nodelist, color=colors)
gr.barnes_hut()
gr.from_nx(OS_graph)
gr.show("graphs/osquery_tables_OS_freebsd_graph.html")

### All shortest paths - WIP

In [None]:
def shortest_path_source(df_OS,s):
    P = nx.from_pandas_edgelist(df=df_OS, source='Table', target='Column')
    path_list_s = []
    #if nx.has_path(P, s, t):
    path_list_s = nx.single_source_shortest_path(P, source=s, cutoff=2)
    #else:
    #   print('No path available.')
    
    Q = P.subgraph(path_list_s)
    return (Q, path_list_s)

In [None]:
# TODO: add other OS filtered tables, maybe create a dropdown for OS
windows_df_filtered_tb = windows_df[~windows_df['Column'].isin(ignore_list_w)]

@interact
def corr_graph_source(Source=list(windows_df_filtered_tb.Table.unique())):
    #print(f"testing", column1)
    sp_graph_s, sp_list_s = shortest_path_source(windows_df_filtered_tb,Source) #sp_graph, 
    #if sp_list is not None:
        #print([p for p in sp_list])
    sp_gr_s=Network(notebook=True, bgcolor="#222222", font_color="white")
    #sp_gr_s.add_nodes(sp_list_s, title=sp_list_s)# , value='1', color='b'
    sp_gr_s.barnes_hut()
    sp_gr_s.from_nx(sp_graph_s)
    return(sp_gr_s.show("sp_graph_s.html"))

#### Sources:
https://towardsdatascience.com/getting-started-with-graph-analysis-in-python-with-pandas-and-networkx-5e2d2f82f18e  
https://stackoverflow.com/questions/55342586/assign-color-to-networkx-node-based-on-column-name  
https://pyvis.readthedocs.io/en/latest/tutorial.html  
https://github.com/osquery/osquery  