Edge Data¶

class orion_notebook.graph.edges.edge_data.CommunicationEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', remote_ip: str = '', remote_port: int = 0, direction: int = 0, hostname: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a CommunicationEdgeData (an edge to a communication type node)

Constructor arguments:

remote_ip (str): Remote IP of the target node (default empty)

remote_port (int): Remote port of the target node (default 0)

direction (int): Direction of the communication. Where: outgoing = 0, incoming = 1 (default 0)

min_datetime (str): Datetime of the first occurrence of this type of communication (default empty)

max_datetime (str): Datetime of the last occurrence of this type of communication (default empty)

datetimes (List[str]): All datetimes from each communication (default None)

hostname (str): Host name for the remote IP (if exists) (default empty)

direction: int = 0¶

hostname: str = ''¶

remote_ip: str = ''¶

remote_port: int = 0¶

class orion_notebook.graph.edges.edge_data.DnsOpsEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', failed_queries: int = 0, queried_domain_count: int = 0, domain_list: str = '', parent_filename: str = '', parent_path: str = '', event_type: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a DnsOpsEdge (an edge to a dns-ops type node)

Constructor arguments:

failed_queries (int): Number of failed queries

queried_domain_count (int): Number of domains affected by queries

domain_list (str): List of domains affected by queries

parent_filename (str): Parent filename

parent_path (str): Parent file path

domain_list: str = ''¶

event_type: str = ''¶

failed_queries: int = 0¶

parent_filename: str = ''¶

parent_path: str = ''¶

queried_domain_count: int = 0¶

class orion_notebook.graph.edges.edge_data.DocumentEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', filename: str = '', path: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a DocumentEdgeData (an edge to a document type node)

Constructor arguments:: filename (str): File name of the document (default empty)

filename: str = ''¶

path: str = ''¶

class orion_notebook.graph.edges.edge_data.DownloadEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', child_url: str = '', child_path: str = '', parent_path: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a DownloadEdgeData (an edge to a download type node)

Constructor arguments:

child_url (str): Url of the download event

child_path (str): Path for the process related operation in the target node

event_type (str): The type of event

child_path: str = ''¶

child_url: str = ''¶

parent_path: str = ''¶

class orion_notebook.graph.edges.edge_data.DownloadUrlEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', child_url: str = '', event_type: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a DownloadUrlEdgeData (an edge to a download-url type node)

Constructor arguments:

child_url (str): Url of the download event

event_type (str): The type of event

child_url: str = ''¶

event_type: str = ''¶

class orion_notebook.graph.edges.edge_data.EdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '')¶

Bases: object

Base class all classes related to edge data, containing common properties shared by all types of edges. Represents the data associated to any type of edge

Constructor arguments:

name (str): Name for the edge (default empty)

date_from (OrionDate): Datetime for the first occurrence of the event represented by this edge (if its a range of events)

date_to (OrionDate): Datetime for the last occurrence of the event represented by this edge (if its a range of events)

datetime (str): Datetime for the occurrence of the event represented by this edge (if only one event)

timestamp (str): TimeStamp for the occurrence of the event represented by this edge (if only one event)

md5 (str): Md5 of the target node (default empty)

pid (int): Pid of the target node (default empty)

muid (str): MUID of the machine that has this event (default empty)

event_label (str): Label that represents the action being made by the source node to the target node (default empty)

has_blocked_action (bool): If the action/event has been blocked (default False)

logged_user (str): Logged user corresponding to the event (default empty)

add_datetime(datetime: str)¶

Adds a new communication datetime to the list of datetimes from each communication

Parameters: datetime (str) – Datetime to add to the list to communication datetimes

count: int = 1¶

date_from: orion_notebook.date.OrionDate = None¶

date_to: orion_notebook.date.OrionDate = None¶

datetime: str = ''¶

datetimes: List[str] = None¶

event_label: str = ''¶

get(attr: str, default: Optional[object] = None) → object¶

Function to safely access an attribute in EdgeData instances

Parameters

attr (str) – Attribute name to attempt to retrieve
default (object) – Object to return if the attribute does not exist

Returns

The attribute value if it exists. Otherwise, None or default param if provided

Return type

object

get_timestamp_details(force_removal: bool = False)¶

Filters results in a query and returns the filtered entry

Parameters: force_removal (bool) – condition that forces exclusion of fields
Returns: A filtered list of fields
Return type: dict

has_blocked_action: bool = False¶

logged_user: str = ''¶

max_datetime: str = ''¶

md5: str = ''¶

min_datetime: str = ''¶

muid: str = ''¶

name: str = ''¶

pid: int = 0¶

timestamp: str = ''¶

class orion_notebook.graph.edges.edge_data.ProcessEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', operation_id: int = 0, child_md5: Optional[str] = None, parent_md5: Optional[str] = None, child_pid: Optional[int] = None, parent_pid: Optional[int] = None, parent_path: str = '', child_path: str = '', classification: str = '', action: int = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Base class for ProcessEdgeDataWithMd5 and ProcessEdgeDataWithoutMd5 containing common properties. Represents the data associated to a ProcessEdgeData (an edge to a generic process type node)

Constructor arguments:

operation_id (int): Id of the operation being made

child_md5 (str): md5 for the process related operation in the target node (default None)

parent_md5 (str): md5 for the process related operation in the source node (default None)

child_pid (str): Pid for the process related operation in the target node (default None)

parent_pid (str): Pid for the process related operation in the source node (default None)

parent_path (str): Path for the process related operation in the source node (default empty)

child_path (str): Path for the process related operation in the target node (default empty)

classification (str): Classification of the event (Goodware, Malware…) if applicable (default empty)

action (str): Action taken with the event (default empty)

action: int = ''¶

child_md5: str = None¶

child_path: str = ''¶

child_pid: int = None¶

classification: str = ''¶

operation_id: int = 0¶

parent_md5: str = None¶

parent_path: str = ''¶

parent_pid: int = None¶

class orion_notebook.graph.edges.edge_data.RegistryOpsEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', key: str = '', value: str = '', event_type: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a RegistryOpsEdge (an edge to a registry type node)

Constructor arguments:

key (str): Registry Key (default empty)

value (str): Registry Key value (default empty)

event_type (str): Event type of edge (default empty)

event_type: str = ''¶

key: str = ''¶

value: str = ''¶

class orion_notebook.graph.edges.edge_data.ScriptEdgeData(name: str = '', date_from: Optional[orion_notebook.date.OrionDate] = None, date_to: Optional[orion_notebook.date.OrionDate] = None, datetime: str = '', timestamp: str = '', md5: str = '', pid: int = 0, muid: str = '', event_label: str = '', has_blocked_action: bool = False, count: int = 1, datetimes: Optional[List[str]] = None, min_datetime: str = '', max_datetime: str = '', logged_user: str = '', path: str = '', filename: str = '', filesize: int = 0, classification: str = '')¶

Bases: orion_notebook.graph.edges.edge_data.EdgeData

Represents the data associated to a ScriptEdgeData (an edge to a script type node)

Constructor arguments:

path (str): Absolute path to the script (default empty)

filename (str): File name of the script (default empty)

filesize (int): File size of the script in bytes (default empty)

classification (str): Classification of the event (Goodware, Malware…) if applicable

classification: str = ''¶

filename: str = ''¶

filesize: int = 0¶

path: str = ''¶