Notebooklet Class - LogonSessionsRarity

Calculates the relative rarity of logon sessions.

It clusters the data based on process, command line and account.

Then calculates the rarity of the process pattern.

Then returns a result containing a summary of the logon sessions by rarity.

To see the methods available for the class and result class, run

cls.list_methods()

Default Options

None

Other Options

None

---

Display Sections

Calculate process rarity statistics for logon sessions

This first transforms the input data into features suitable for a clustering algorithm. It then clusters the data based on process, command line and account and calculates the rarity of the process pattern. It returns a result containing a summary of the logon sessions along with full results of the clustering. Methods available to view this data graphically include - list_sessions_by_rarity - table of sessions ordered by degree of rarity - plot_sessions_by_rarity - timeline plot of processes grouped by account and showing relative rarity of each process. - process_tree - a process tree of all processes or processes belonging to a single account.

---

Results Class

LogonSessionsRarityResult

Logon Sessions rarity.

Attributes

• process_clusters : pd.DataFrame

  Process clusters based on account, process, commandline and showing the an example process from each cluster
• processes_with_cluster : pd.DataFrame

  Merged data with rarity value assigned to each process event.
• session_rarity: pd.DataFrame

  List of sessions with averaged process rarity.

---

Methods

Instance Methods

__init__

__init__(self, **kwargs)

Initialize instance of LogonSessionRarity.

browse_events

browse_events(self)

Browse the events by logon session.

list_sessions_by_rarity

list_sessions_by_rarity(self)

Display sessions by process rarity.

plot_sessions_by_rarity

plot_sessions_by_rarity(self)

Display timeline plot of processes by rarity.

process_tree

process_tree(self, account: Optional[str] = None, session: Optional[str] = None)

View a process tree of current session.

run

run(self, value: Any = None, data: Optional[pandas.core.frame.DataFrame] = None, timespan: Optional[msticpy.common.timespan.TimeSpan] = None, options: Optional[Iterable[str]] = None, **kwargs) -> msticnb.nb.azsent.host.logon_session_rarity.LogonSessionsRarityResult

Calculate Logon sessions ordered by process rarity summary.

Inherited methods

check_table_exists

check_table_exists(self, table: str) -> bool

Check to see if the table exists in the provider.

check_valid_result_data

check_valid_result_data(self, attrib: str = None, silent: bool = False) -> bool

Check that the result is valid and attrib contains data.

get_methods

get_methods(self) -> Dict[str, Callable[[Any], Any]]

Return methods available for this class.

get_pivot_run

get_pivot_run(self, get_timespan: Callable[[], msticpy.common.timespan.TimeSpan])

Return Pivot-wrappable run function.

get_provider

get_provider(self, provider_name: str)

Return data provider for the specified name.

list_methods

list_methods(self) -> List[str]

Return list of methods with descriptions.

run_nb_func

run_nb_func(self, nb_func: Union[str, msticnb.notebooklet_func.NBFunc], **kwargs)

Run the notebooklet function and return the results.

run_nb_funcs

run_nb_funcs(self)

Run all notebooklet functions defined for the notebooklet.

Other Methods

add_nb_function

add_nb_function(nb_func: Union[str, msticnb.notebooklet_func.NBFunc], **kwargs)

Add a notebooklet function to the class.

all_options

all_options() -> List[str]

Return supported options for Notebooklet run function.

default_options

default_options() -> List[str]

Return default options for Notebooklet run function.

description

description() -> str

Return description of the Notebooklet.

entity_types

entity_types() -> List[str]

Entity types supported by the notebooklet.

get_help

get_help(fmt=’html’) -> str

Return HTML document for class.

get_settings

get_settings(print_settings=True) -> Optional[str]

Print or return metadata for class.

import_cell

import_cell()

Import the text of this module into a new cell.

keywords

keywords() -> List[str]

Return search keywords for Notebooklet.

list_options

list_options() -> str

Return options document for Notebooklet run function.

match_terms

match_terms(search_terms: str) -> Tuple[bool, int]

Search class definition for search_terms.

name

name() -> str

Return name of the Notebooklet.

print_options

print_options()

Print options for Notebooklet run function.

result

result [property] Return result of the most recent notebooklet run.

show_help

show_help()

Display Documentation for class.

silent

silent [property] Get the current instance setting for silent running.

<hr>

run function documentation

Calculate Logon sessions ordered by process rarity summary.

Parameters

valuestr

Not used

dataOptional[pd.DataFrame], optional

Process event data.

timespanTimeSpan

Not used

optionsOptional[Iterable[str]], optional

List of options to use, by default None. A value of None means use default options. Options prefixed with “+” will be added to the default options. To see the list of available options type help(cls) where “cls” is the notebooklet class or an instance of this class.

Returns

LogonSessionsRarityResult

LogonSessionsRarityResult.

Raises

MsticnbMissingParameterError

If required parameters are missing

Default Options

None

Other Options

None