Client

class TH.Client(client_id: str, period: Optional[TH.Core.period.TimePeriod] = TimePeriod())

Bases: Generic[TH.Core.THCollection.T]

Class representing all the machines belonging to a Client.
A client can be instantiated by providing the following information:

  • client_id: The client identification code (use ‘all’ for all authorized clients)

  • period: The current analysis period

If no client id is provided, a list with all allowed clients will be returned.

one_client = Client(client_id='123456789')  # obtain one unique client with id '123456789'
all_clients = Client(client_id='all')       # obtain all clients I am allowed to
get_blocked(file: Optional[Union[str, List[str], Any, List[Any]]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]

Obtain client’s blocked elements

Parameters

  • file – Limit the query results to certain files (providing File objects)

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

Returns

Client’s detections represented as a list of Block instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date of the detection

  • ClientId: Target client

  • Muid: Target machine

  • LoggedUser: User that performed the detected action

  • ChildMd5: File hash for the detected file

  • ChildPath: File path for the detected file

  • ChildFilename: File name for the detected file

  • ParentMd5: File hash for the parent process file

  • ParentPath: File path for the parent process file

  • ParentFilename: File name for the parent process file

  • WinningTech: Winning technology (the one that performed the detecion)

  • DetectionId: Detection identification code

  • Action: Performed action over the file

get_detections(file: Optional[Union[str, List[str], Any, List[Any]]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]

Obtain clients’s deteccions

Parameters

  • file – Limit the query results to certain files (providing File objects)

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

Returns

Client’s detections represented as a list of Detect instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date of the detection

  • ClientId: Target client

  • Muid: Target machine

  • LoggedUser: User that performed the detected action

  • ChildMd5: File hash for the detected file

  • ChildPath: File path for the detected file

  • ChildFilename: File name for the detected file

  • ParentMd5: File hash for the parent process file

  • ParentPath: File path for the parent process file

  • ParentFilename: File name for the parent process file

  • WinningTech: Winning technology (the one that performed the detecion)

  • DetectionId: Detection identification code

  • Action: Performed action over the file

get_ioas(rules: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None)TH.Core.THCollection.THCollection
Obtain the identified atacks for this client
Parameters

  • period – Query time period. Defaults to today

  • rules – Query results limited to those containing the provided rule names

Returns

A list of IoA (identification of attack) represented as IoA instances.

Following columns are provided within the returned dataframe:

  • alertDateTime: Datetime from when the alert was identified

  • clientId: The client for this alert

  • critical: True if the alert is critical

  • details: Alert details

  • excluded: True if alert is excluded

  • huntingRule: The hunting rule name thar triggered the alert

  • id: The alert identification code

  • lastHourEvidenceCount: Number of acummulated alerts of this type in the last hour

  • mitre: Mitre equivalence for this alert

  • muid: This alert machine identification code

  • severity: The alert severity value

  • status: The alert status

  • timeStamp: Timestamp for this alert (when it was first produced)

  • weight: The alert weight value

get_machines(muid: Optional[str] = None, users: Optional[Union[List[str], str]] = None, ips: Optional[Union[List[str], str]] = None, file: Optional[Union[str, List[str], Any, List[Any]]] = None, command: Optional[str] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]
Obtain the list of machines for this client
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • muid – Limit the query results to machines whith ceratin MUIDs

  • users – Limit the query results to machines in where certain users had acitivity

  • ips – Limit the query results to machines with certain ips

  • file – Limit the query results to machines with activity of certain files (providing File objects)

  • command – Limit the query results to machines with execution with certain command lines (or part of them)

Returns

A list of machines represented as Machine instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • Muid: The MUID for the returned machine

get_users(muid: Optional[str] = None, period: Optional[TH.Core.period.TimePeriod] = None, users: Optional = None, histogram=None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]
Obtain the list of users for this client
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • muid – Limit the query results to users with activity in the provided machines

  • users – Limit the query results to users whose name contains the provided user names

Returns

A list of users represented as User instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • LoggedUser: The logged user name

  • IniDate: The date in where the user was first seen (in the given period)

  • EndDate: The date in where the user was last seen (in the given period)

  • NumDays: The number of days where the user had actity (in the given period)

property id
Returns

The value for the client identification code