Process Tree Viewer updates
Highlights
This is a minor release with some fixes and additions that enable broader functionality.
The biggest-impacting changes apply to the
Process Tree visualization.
These changes allow it to work with broader types of Windows or Linux process data:
- Removed the following columns that were previously required: host_name, logon_id, user_name, cmd_line.
- Added auto-coloring by level if no legend is supplied.
- Fixed process sorting so that tree and peer groups in the tree are sorted by level, then timestamp.
- Added ability to supply schema as dictionary to the process tree APIs.
The changes are described in more detail below.
We've also added support for a new MS Sentinel API to retrieve queries stored in a Sentinel workspace
and fixed some issues in IP WhoIs lookups.
Process Tree changes
Reduced required column set
This allows you to use the process tree visualization and utilities with a minimal set of data fields:
- process_id
- parent_id
- process_name
- time_stamp
cust_schema = {
"process_name": "ImageFileName",
"process_id": "PID",
"parent_id": "PPID",
"time_stamp": "CreateTime",
}
df.mp_plot_process(schema=cust_schema)Auto-coloring of tree plot
If you do not supply a legend_col parameter, the process objects will be
automatically colored by level in the hierarchy. This makes a basic tree more colorful and easier to navigate.
Processes are correctly sorted by process time
Previously, the code that builds the process tree left individual processes in an unintuitive order.
For a given level (e.g. parents) all of the processes will be displayed in time created order.
For example:
A \
- A.1
- A.2
B \
- B.1
- B.2
A will always have a timestamp less than or equal to B. All children of A (A.1, A.2...) and B will be shown in
time created order. However, across different levels and peer groups, there is no guarantee of time-ordering. In the above example, even though timestamp A is less than timestamp B, B.1 and B.2 could have timestamps earlier than either A.1 or A.2.
| path | ImageFileName | CreateTime | |
|---|---|---|---|
| proc_key | |||
| registry|88|2021-04-01 05:04:54.000000 | 116/0 | Registry | 2021-04-01 05:04:54+00:00 |
| system|4|2021-04-01 05:04:58.000000 | 117/1 | System | 2021-04-01 05:04:58+00:00 |
| smss.exe|404|2021-04-01 05:04:58.000000 | 117/1/2 | smss.exe | 2021-04-01 05:04:58+00:00 |
| csrss.exe|640|2021-04-01 05:05:00.000000 | 118/3 | csrss.exe | 2021-04-01 05:05:00+00:00 |
| winlogon.exe|700|2021-04-01 05:05:00.000000 | 118/4 | winlogon.exe | 2021-04-01 05:05:00+00:00 |
| dwm.exe|1028|2021-04-01 05:05:02.000000 | 118/4/17 | dwm.exe | 2021-04-01 05:05:02+00:00 |
| logonui.exe|512|2021-04-01 05:05:02.000000 | 118/4/21 | LogonUI.exe | 2021-04-01 05:05:02+00:00 |
| fontdrvhost.ex|960|2021-04-01 05:05:01.000000 | 118/4/7 | fontdrvhost.ex | 2021-04-01 05:05:01+00:00 |
| wininit.exe|632|2021-04-01 05:05:00.000000 | 119/5 | wininit.exe | 2021-04-01 05:05:00+00:00 |
| lsass.exe|776|2021-04-01 05:05:01.000000 | 119/5/10 | lsass.exe | 2021-04-01 05:05:01+00:00 |
mp_plot.process_tree and mp.build_process_tree support schema as dictionary
Previously these accessors and the underlying functions plot_process_tree and
build_process_tree would only accept msticpy.transform.process_tree_schema.ProcSchema
instances. These will now accept dictionaries with at least the minimum required
attributes as keys.
What's Changed
- Sentinel - Return all saved queries by @petebryan in #519
- Bump readthedocs-sphinx-ext from 2.1.8 to 2.1.9 by @dependabot in #507
- Bump respx from 0.19.2 to 0.20.0 by @dependabot in #512
- Allow process tree to work with more data sources. by @ianhelle in #513
- Fixed error in cell using non-existing column name by @ianhelle in #527
- Ianhelle/proc tree fixes 2022 09 16 by @ianhelle in #530
- Fixed issue with whois lookups on only local IPs by @petebryan in #506
Full Changelog: v2.1.2...v2.1.3
