Process Node¶

class orion_notebook.graph.nodes.process_node.GenericProcessNode(id: str, data: orion_notebook.graph.nodes.node_data.ProcessNodeData, operation: int, classification: str)¶

Bases: orion_notebook.graph.nodes.process_node.ProcessNode

Class that represents a node of generic process type in a Graph instance. This types of nodes represents operations of creation of processes

children_count: dict¶

get_all_activity()¶

Gets all the related nodes and edges for the GenericProcessNode instance (all type of activities), performing requests to the TH library

Returns: A tuple of list of new related activity nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_children()¶

Gets all the children related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new communication nodes and its corresponding edges
Return type: Tuple[List[Node], List[Edge]]

get_communication()¶

Gets all the communication related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new communication nodes and its corresponding edges
Return type: Tuple[List[Node], List[Edge]]

get_data_access()¶

Gets all the data access related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new data access nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_dns_events()¶

Gets all the Dns Ops related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new library load nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_download_events()¶

Gets all the download events related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new download event nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_extra_details()¶: Retrieves and sets the details for the GenericProcessNode instance, performing requests to the TH library

get_library_load()¶

Gets all the library load related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new library load nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_menu_options() → List[orion_notebook.graph.menu_items.MenuItem]¶

Gets the menu options (MenuItems) for a GenericProcessNode

Returns: MenuItem list representing the menu options for the node
Return type: List[MenuItem]

get_parent()¶

Gets the parent node for the GenericProcessNode instance, performing requests to the TH library (if exists)

Returns: A tuple containing the parent node, edge and datetime (if parent is found)
Return type: Tuple[Optional[Node], Optional[Edge], Optional[str]]

get_program_executable_files()¶

Gets all the PE files related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new remote PE files nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_registry_ops()¶

Gets all the registry ops related nodes and edges for the GenericProcessNode instance, performing requests to the TH library and limiting its results

Returns: A tuple of list of new registry ops nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_remote_thread_creation()¶

Gets all the remote thread creation related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new remote thread creation nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_script_access()¶

Gets all the script access related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new script access nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_stop_protection()¶

Gets all the stop protection related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new stop protection nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

get_zipped_files()¶

Gets all the zipped files related nodes and edges for the GenericProcessNode instance, performing requests to the TH library

Returns: A tuple of list of new zipped files nodes, its corresponding edges and the number of total results
Return type: Tuple[List[Node], List[Edge], int]

load_children_count(children_nodes_count)¶

Gets all the children related nodes count for the GenericProcessNode instance, performing requests to the TH library

Parameters: children_nodes_count (Dict) – Key-value dictionary for all repositories

class orion_notebook.graph.nodes.process_node.OperationProcessNode(id: str, data: orion_notebook.graph.nodes.node_data.ProcessNodeData, operation: int, classification: str)¶

Bases: orion_notebook.graph.nodes.process_node.ProcessNode

Class that represents a node of Process ops type with/without md5 in a Graph instance

data: orion_notebook.graph.nodes.node_data.ProcessNodeData¶

get_extra_details()¶: Retrieves and sets the details for the OperationProcessNode instance, performing requests to the TH library

class orion_notebook.graph.nodes.process_node.ProcessNode(id: str, data: orion_notebook.graph.nodes.node_data.ProcessNodeData, operation: int, classification: str)¶

Bases: orion_notebook.graph.nodes.node.Node

Class that represents a node of process type in a Graph instance. Base class for other specific types of process nodes, with common properties and functions

static create_id(path: str, pid: str) → str¶

Returns an id for the ProcessNode based in the process related path, pid and operation id

Parameters

path (str) – Path for the related process operation
pid (str) – Pid for the related process operation

Returns

Id for the ProcessNode

Return type

str

data: orion_notebook.graph.nodes.node_data.ProcessNodeData¶

load_children_count(children_nodes_count)¶

class orion_notebook.graph.nodes.process_node.ProcessNodeCreation¶

Bases: object

Class with factory method for creating new ProcessNodes regarding its operation id and its classification

static factory(id: str, data: orion_notebook.graph.nodes.node_data.ProcessNodeData, operation: int, classification: str) → orion_notebook.graph.nodes.process_node.ProcessNode ¶

Factory method that creates a new ProcessNode depending on the operation id and classification of the Node

Parameters

id (str) – Id for the ProcessNode. Should be unique
data (ProcessNodeData) – Data of the ProcessNode
operation (int) – Operation Id of the process operation
classification (str) – Classification of the Node (Goodware, Malware…) if applicable

Returns

A new ProcessNode with the provided id and data

Return type

ProcessNode

class orion_notebook.graph.nodes.process_node.RegistryProcessNode(id: str, data: orion_notebook.graph.nodes.node_data.ProcessNodeData, operation: int, classification: str)¶

Bases: orion_notebook.graph.nodes.process_node.ProcessNode

Class that represents a node of registry type in a Graph instance

data: orion_notebook.graph.nodes.node_data.ProcessNodeData¶

details: Union[dict, NodeData]¶

get_extra_details()¶: Retrieves and sets the details for the RegistryProcessNode instance, performing requests to the TH library

id: str¶

name: str¶

node_type: NodeType¶

position: dict¶