Process

class TH.Process(filename: Optional[Union[str, List[str]]], md5: Optional[Union[str, List[str]]], muid: Optional[str], pid: Optional[Union[int, numpy.int64]], logged_user: Optional[str] = None, client_id: Optional[str] = None, period: Optional[TH.Core.period.TimePeriod] = TimePeriod(), time: Optional[TH.Core.period.TimePeriod] = None)

Bases: Generic[TH.Core.THCollection.T]

Warning

This object is not intended to be created, but obtained through queries provided by upper level objects

Class representing a Process
A process can be instantiated by providing the following information:

  • muid: Machine unique identification code in where the process is executed

  • filename: File name for the process binary

  • md5: File md5 for the process binary

  • pid: The PID for this process in this machine

  • logged_user: The user name that executed this process

  • client_id: The client identification code

  • period: The current analysis period

static from_table_df(df: pandas.core.frame.DataFrame, table: str, client: str, period: TH.Core.period.TimePeriod)TH.Core.THCollection.THCollection
get_bandwidth(period: Optional[TH.Core.period.TimePeriod] = None)pandas.core.frame.DataFrame
Obtain The used bandwith by this machine
The default representation of bandwidth data is a area chart with the values per day
Parameters

period – Query time period. Defaults to today

Returns

Data frame with the resulting bandwidth data

Following columns are provided within the returned dataframe:

  • Date: Date for the bandwith consumption data

  • Outgoing: MBytes sent

  • Incoming: MBytes received

get_childs()Union[TH.Core.THCollection.THCollection, pandas.core.frame.DataFrame]
Obtain child processes for this process
get_commandlines(period: Optional[TH.Core.period.TimePeriod] = None, ntop: Optional[int] = None)pandas.core.frame.DataFrame

Obtain process commandlines in executions

Parameters

  • period – Query time period. Defaults to today

  • ntop – Limit query to top more used

Returns

Process commandlines

get_communications(period: Optional[TH.Core.period.TimePeriod] = None, protocol: Optional[str] = None, port: Optional[str] = None, iptype: Optional[str] = None, direction: Optional[str] = None, ips: Optional[Union[List[str], str]] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]
Obtain this process communications
The default representation of a machine’s communications through the print_dataframe() method is world
map with colored dots (out of the geolocalization)
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • protocol – Limit the query result to certain protocols (‘ICMP’, ‘IGMP’, ‘RFCOMM’, ‘TCP’, ‘RDP’, ‘UDP’, ‘ICMPV6’, ‘RM’)

  • port – Limit the query result to certain ports (port = number or [‘FTP’, ‘SSH’, ‘TELNET’, ‘SMTP’, ‘HTTP’, ‘POP3’, ‘HTTPS’, ‘RDP’])

  • iptype – Limit the query result to certain IP type (iptype = ‘Public’|’Private’)

  • direction – Limit the query result to certain direction (direction = ‘Incoming’|’Outgoing’)

  • ips – Limit the query results to certain ip addresses

Returns

Machine’s communications represented as a list of Connection instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date and time of the connection

  • Date: Date of the connection

  • Muid: Machine for the connection

  • LoggedUser: User affected by the connection

  • ParentFilename: Process (name) affected by the connection

  • ParentPid: Process (pid) affected by the connection

  • RemoteIp: The remote IP address

  • RemotePort: Connection port

  • LocalIp: The local IP of the machine when the connection was stablished

  • LocalPort: The local IP port

  • Protocol: The communication protocol

  • Direction: Incoming / Outgoing

  • Ipv4Status: Private / Public

get_execution_tree(period: Optional[TH.Core.period.TimePeriod] = None)pandas.core.frame.DataFrame
Obtain the execution tree for this process
Parameters

period – Query time period. Defaults to today

Returns

This processe’s ascendant and descendant executions as a list of Process instances.

Following columns are provided within the returned dataframe:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

get_executions(file: Optional[Union[str, List[str], Any, List[Any]]] = None, kind: Optional[Union[List[str], str]] = None, operation: Optional[Union[List[str], str]] = None, command: Optional[Union[List[str], str]] = None, attributes: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[TH.Core.THCollection.THCollection, pandas.core.frame.DataFrame]
Obtain this process actions over processes
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the results to those actions affecting provided file (providing File objects)

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘kill’, ‘thread’, ‘load’]

  • command – Limit results to thos containing the given command line

  • attributes – Limit the results by the operation attributes (OR’ed values of [ATTR_REMOTE, ATTR_EXTERNAL, ATTR_FRESHUNKNOWN, ATTR_LANSHARED])

Available operations are:

  • create: Process creation operations

  • kill: Kill process operations

  • thread: Remote threads creation operations

  • load: Load library operations

Returns

Machine’s processes actions in period as a list of Process instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned Process instances:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

  • RemoteSession: True if action is performed from a remote session

  • External: The file comes from outside

  • FreshUnknown: This file is new along Panda community

  • LanShared: The file comes from outside (inside the local network)

get_file()Any
Returns

The binary file for this process

get_files(file: Optional[Union[str, List[str], Any, List[Any]]] = None, kind: Optional[Union[List[str], str]] = None, operation: Optional[Union[List[str], str]] = None, attributes: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[TH.Core.THCollection.THCollection, TH.Core.histogram.Histogram]
Obtain this process actions over files
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the results to those actions affecting provided file

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘modify’, ‘delete’, ‘rename’, ‘folder’, ‘newcmp’, ‘opencmp’, ‘access’, ‘script’ ]

  • attributes – Limit the results by the operation attributes (OR’ed values of [ATTR_REMOTE, ATTR_EXTERNAL, ATTR_FRESHUNKNOWN, ATTR_LANSHARED])

Available operations are:

  • create: File (PE) creation operations

  • modify: File (PE) modification operations

  • delete: File (PE) deletion operations

  • rename: File (PE) rename operations

  • folder: Folder creation operations

  • newcmp: CMP files creation operations

  • opencmp: CMP files open operations

  • access: Data access operations

  • script: Operations over no PE / script files

Returns

Machine’s file actions in period as a list of File instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned File instances:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

  • RemoteSession: True if action is performed from a remote session

  • External: The file comes from outside

  • FreshUnknown: This file is new along Panda community

  • LanShared: The file comes from outside (inside the local network)

get_machine(period: Optional[TH.Core.period.TimePeriod] = None)Any
Returns

The machine as an instance of Machine in where the process has been executed

get_parent()Optional[Union[TH.Core.THCollection.THCollection, pandas.core.frame.DataFrame]]
Obtain parent process
get_registry(file: Optional[Union[str, List[str], Any, List[Any]]] = None, kind: Optional[Union[List[str], str]] = None, operation: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[TH.Core.THCollection.THCollection, TH.Core.histogram.Histogram]
Obtain this process actions over registry keys
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the results to those actions affecting provided file

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘modify’, ‘access’]

Available operations are:

  • create: Registry key creation operations

  • modify: Registry key modification operations

Returns

Machine’s registry actions in period as a list of Registry instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

get_user(period: Optional[TH.Core.period.TimePeriod] = None)Any
Returns

The user as an instance of User that executes this process

property get_time
Obtain time execution for this process
property md5
Returns

This process md5

property name
Returns

This process name

property pid
Returns

This process pid