{ "cells": [ { "cell_type": "markdown", "id": "4074bec6-15e2-4a0f-b177-d1c8b58e2794", "metadata": {}, "source": [ "# LocalOsquery Data Provider" ] }, { "cell_type": "markdown", "id": "94d3bef5-29f1-4073-944a-17f8c398d185", "metadata": {}, "source": [ "https://msticpy.readthedocs.io/en/v1.1.0/data_acquisition/DataProviders.html#using-local-data-the-localdata-provider" ] }, { "cell_type": "markdown", "id": "27b49194-ad13-44f1-87b2-950b9a79b25e", "metadata": {}, "source": [ "## Imports" ] }, { "cell_type": "code", "execution_count": 1, "id": "8fd33393-740d-403a-98a1-419c8bbb6b9f", "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "This product includes GeoLite2 data created by MaxMind, available from\n", "https://www.maxmind.com.\n" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "name": "stdout", "output_type": "stream", "text": [ "Imports Complete\n" ] } ], "source": [ "#Check we are running Python 3.6\n", "import sys\n", "MIN_REQ_PYTHON = (3,6)\n", "if sys.version_info < MIN_REQ_PYTHON:\n", " print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')\n", " print('or later is selected as the active kernel.')\n", " sys.exit(\"Python %s.%s or later is required.\\n\" % MIN_REQ_PYTHON)\n", "\n", "#imports\n", "import json\n", "import yaml\n", "import msticpy.nbtools as nbtools\n", "\n", "#data library imports\n", "from msticpy.data.data_providers import QueryProvider\n", "import msticpy.nbtools as mas\n", "\n", "print('Imports Complete')" ] }, { "cell_type": "markdown", "id": "4e217fc3-1c95-471e-81c9-f9a1e76563e6", "metadata": {}, "source": [ "## Variables" ] }, { "cell_type": "code", "execution_count": 2, "id": "f535e335-0732-4053-bdfe-1155c7a4a983", "metadata": {}, "outputs": [], "source": [ "# directory with osqueryd.results.log or other *.log files\n", "# Tested with single file (osqueryd.results.log) and double (osqueryd.results.log + osqueryd.snapshots.log)\n", "datadir = \"/path/to/var/log/osquery\"\n", "# directory with queries yaml file\n", "query_path = \"/path/to\"" ] }, { "cell_type": "markdown", "id": "cffc9da9-c97e-47b7-975a-5c64cd880169", "metadata": {}, "source": [ "## Load Data" ] }, { "cell_type": "code", "execution_count": 3, "id": "ad5cf782-2125-4b6b-be20-5425abe891a1", "metadata": {}, "outputs": [], "source": [ "# Specify path to look for data files\n", "data_path = datadir\n", "qry_prov = QueryProvider(\"LocalOsquery\",\n", " data_paths=[data_path],\n", " query_paths=[query_path]\n", " )" ] }, { "cell_type": "code", "execution_count": 4, "id": "22d00318-7269-401b-88d3-078d3fa47e17", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'pack_osquery-custom-pack2_processes': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_euid': 'object', 'columns_name': 'object', 'columns_parent': 'object', 'columns_path': 'object', 'columns_pcmdline': 'object', 'columns_pid': 'object', 'columns_uid': 'object', 'columns_username': 'object'}, 'pack_osquery-custom-pack2_process_binding_to_ports': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_pid': 'object', 'columns_port': 'object', 'columns_protocol': 'object'}, 'pack_osquery-monitoring_osquery_info': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_build_distro': 'object', 'columns_build_platform': 'object', 'columns_config_hash': 'object', 'columns_config_valid': 'object', 'columns_counter': 'object', 'columns_extensions': 'object', 'columns_instance_id': 'object', 'columns_platform_mask': 'object', 'columns_resident_size': 'object', 'columns_start_time': 'object', 'columns_system_time': 'object', 'columns_user_time': 'object', 'columns_uuid': 'object', 'columns_version': 'object', 'columns_watcher': 'object'}, 'pack_osquery-custom-pack2_outbound_connections': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_name': 'object', 'columns_path': 'object', 'columns_pcmdline': 'object', 'columns_pid': 'object', 'columns_username': 'object', 'columns_local_port': 'object', 'columns_md5': 'object', 'columns_remote_address': 'object', 'columns_remote_port': 'object'}, 'pack_incident-response_mounts': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_blocks': 'object', 'columns_blocks_available': 'object', 'columns_blocks_free': 'object', 'columns_blocks_size': 'object', 'columns_device': 'object', 'columns_device_alias': 'object', 'columns_flags': 'object', 'columns_inodes': 'object', 'columns_inodes_free': 'object', 'columns_type': 'object'}, 'pack_osquery-custom-pack2_process_env': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_pid': 'object', 'columns_key': 'object', 'columns_value': 'object'}, 'pack_incident-response_listening_ports': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object', 'columns_port': 'object', 'columns_protocol': 'object', 'columns_address': 'object', 'columns_family': 'object', 'columns_fd': 'object', 'columns_net_namespace': 'object', 'columns_socket': 'object'}, 'pack_osquery-monitoring_schedule': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_average_memory': 'object', 'columns_avg_system_time': 'object', 'columns_avg_user_time': 'object', 'columns_denylisted': 'object', 'columns_executions': 'object', 'columns_interval': 'object', 'columns_last_executed': 'object', 'columns_output_size': 'object', 'columns_wall_time': 'object'}, 'pack_incident-response_process_env': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_key': 'object', 'columns_value': 'object'}, 'fim': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_username': 'object', 'columns_md5': 'object', 'columns_action': 'object', 'columns_atime': 'datetime64[ns]', 'columns_category': 'object', 'columns_ctime': 'datetime64[ns]', 'columns_mode': 'object', 'columns_mtime': 'datetime64[ns]', 'columns_sha256': 'object', 'columns_size': 'object', 'columns_target_path': 'object', 'columns_time': 'datetime64[ns]'}, 'pack_incident-response_open_files': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object'}, 'pack_incident-response_last': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_username': 'object', 'columns_type': 'object', 'columns_time': 'datetime64[ns]', 'columns_host': 'object', 'columns_tty': 'object', 'columns_type_name': 'object'}, 'pack_incident-response_logged_in_users': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_name': 'object', 'columns_pid': 'object', 'columns_type': 'object', 'columns_time': 'datetime64[ns]', 'columns_host': 'object', 'columns_tty': 'object', 'columns_cwd': 'object', 'columns_root': 'object', 'columns_user': 'object'}, 'pack_osquery-custom-pack2_known_hosts': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_key': 'object', 'columns_key_file': 'object'}, 'pack_incident-response_process_memory': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object', 'columns_device': 'object', 'columns_end': 'object', 'columns_inode': 'object', 'columns_offset': 'object', 'columns_permissions': 'object', 'columns_pseudo': 'object', 'columns_start': 'object'}, 'pack_vuln-management_deb_packages': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_version': 'object', 'columns_size': 'object', 'columns_admindir': 'object', 'columns_arch': 'object', 'columns_maintainer': 'object', 'columns_priority': 'object', 'columns_revision': 'object', 'columns_section': 'object', 'columns_source': 'object', 'columns_status': 'object'}, 'pack_incident-response_shell_history': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_username': 'object', 'columns_uuid': 'object', 'columns_time': 'datetime64[ns]', 'columns_command': 'object', 'columns_description': 'object', 'columns_directory': 'object', 'columns_gid': 'object', 'columns_gid_signed': 'object', 'columns_history_file': 'object', 'columns_shell': 'object', 'columns_uid_signed': 'object'}}\n", "CPU times: user 2min 45s, sys: 602 ms, total: 2min 46s\n", "Wall time: 2min 49s\n" ] } ], "source": [ "%%time\n", "# Show the schema of the data files read in\n", "# Slow for log file ~1MB\n", "print(qry_prov.schema)" ] }, { "cell_type": "code", "execution_count": 5, "id": "9f8a0b5c-2c86-4c70-9a0c-bb759045f9b1", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"pack_osquery-custom-pack2_processes\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_cmdline\": \"object\",\n", " \"columns_euid\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_parent\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_pcmdline\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_uid\": \"object\",\n", " \"columns_username\": \"object\"\n", " },\n", " \"pack_osquery-custom-pack2_process_binding_to_ports\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_port\": \"object\",\n", " \"columns_protocol\": \"object\"\n", " },\n", " \"pack_osquery-monitoring_osquery_info\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_build_distro\": \"object\",\n", " \"columns_build_platform\": \"object\",\n", " \"columns_config_hash\": \"object\",\n", " \"columns_config_valid\": \"object\",\n", " \"columns_counter\": \"object\",\n", " \"columns_extensions\": \"object\",\n", " \"columns_instance_id\": \"object\",\n", " \"columns_platform_mask\": \"object\",\n", " \"columns_resident_size\": \"object\",\n", " \"columns_start_time\": \"object\",\n", " \"columns_system_time\": \"object\",\n", " \"columns_user_time\": \"object\",\n", " \"columns_uuid\": \"object\",\n", " \"columns_version\": \"object\",\n", " \"columns_watcher\": \"object\"\n", " },\n", " \"pack_osquery-custom-pack2_outbound_connections\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_cmdline\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_pcmdline\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_username\": \"object\",\n", " \"columns_local_port\": \"object\",\n", " \"columns_md5\": \"object\",\n", " \"columns_remote_address\": \"object\",\n", " \"columns_remote_port\": \"object\"\n", " },\n", " \"pack_incident-response_mounts\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_blocks\": \"object\",\n", " \"columns_blocks_available\": \"object\",\n", " \"columns_blocks_free\": \"object\",\n", " \"columns_blocks_size\": \"object\",\n", " \"columns_device\": \"object\",\n", " \"columns_device_alias\": \"object\",\n", " \"columns_flags\": \"object\",\n", " \"columns_inodes\": \"object\",\n", " \"columns_inodes_free\": \"object\",\n", " \"columns_type\": \"object\"\n", " },\n", " \"pack_osquery-custom-pack2_process_env\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_cmdline\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_key\": \"object\",\n", " \"columns_value\": \"object\"\n", " },\n", " \"pack_incident-response_listening_ports\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_port\": \"object\",\n", " \"columns_protocol\": \"object\",\n", " \"columns_address\": \"object\",\n", " \"columns_family\": \"object\",\n", " \"columns_fd\": \"object\",\n", " \"columns_net_namespace\": \"object\",\n", " \"columns_socket\": \"object\"\n", " },\n", " \"pack_osquery-monitoring_schedule\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_average_memory\": \"object\",\n", " \"columns_avg_system_time\": \"object\",\n", " \"columns_avg_user_time\": \"object\",\n", " \"columns_denylisted\": \"object\",\n", " \"columns_executions\": \"object\",\n", " \"columns_interval\": \"object\",\n", " \"columns_last_executed\": \"object\",\n", " \"columns_output_size\": \"object\",\n", " \"columns_wall_time\": \"object\"\n", " },\n", " \"pack_incident-response_process_env\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_key\": \"object\",\n", " \"columns_value\": \"object\"\n", " },\n", " \"fim\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_uid\": \"object\",\n", " \"columns_username\": \"object\",\n", " \"columns_md5\": \"object\",\n", " \"columns_action\": \"object\",\n", " \"columns_atime\": \"datetime64[ns]\",\n", " \"columns_category\": \"object\",\n", " \"columns_ctime\": \"datetime64[ns]\",\n", " \"columns_mode\": \"object\",\n", " \"columns_mtime\": \"datetime64[ns]\",\n", " \"columns_sha256\": \"object\",\n", " \"columns_size\": \"object\",\n", " \"columns_target_path\": \"object\",\n", " \"columns_time\": \"datetime64[ns]\"\n", " },\n", " \"pack_incident-response_open_files\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_pid\": \"object\"\n", " },\n", " \"pack_incident-response_last\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_username\": \"object\",\n", " \"columns_type\": \"object\",\n", " \"columns_time\": \"datetime64[ns]\",\n", " \"columns_host\": \"object\",\n", " \"columns_tty\": \"object\",\n", " \"columns_type_name\": \"object\"\n", " },\n", " \"pack_incident-response_logged_in_users\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_cmdline\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_type\": \"object\",\n", " \"columns_time\": \"datetime64[ns]\",\n", " \"columns_host\": \"object\",\n", " \"columns_tty\": \"object\",\n", " \"columns_cwd\": \"object\",\n", " \"columns_root\": \"object\",\n", " \"columns_user\": \"object\"\n", " },\n", " \"pack_osquery-custom-pack2_known_hosts\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_uid\": \"object\",\n", " \"columns_key\": \"object\",\n", " \"columns_key_file\": \"object\"\n", " },\n", " \"pack_incident-response_process_memory\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_path\": \"object\",\n", " \"columns_pid\": \"object\",\n", " \"columns_device\": \"object\",\n", " \"columns_end\": \"object\",\n", " \"columns_inode\": \"object\",\n", " \"columns_offset\": \"object\",\n", " \"columns_permissions\": \"object\",\n", " \"columns_pseudo\": \"object\",\n", " \"columns_start\": \"object\"\n", " },\n", " \"pack_vuln-management_deb_packages\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_name\": \"object\",\n", " \"columns_version\": \"object\",\n", " \"columns_size\": \"object\",\n", " \"columns_admindir\": \"object\",\n", " \"columns_arch\": \"object\",\n", " \"columns_maintainer\": \"object\",\n", " \"columns_priority\": \"object\",\n", " \"columns_revision\": \"object\",\n", " \"columns_section\": \"object\",\n", " \"columns_source\": \"object\",\n", " \"columns_status\": \"object\"\n", " },\n", " \"pack_incident-response_shell_history\": {\n", " \"name\": \"object\",\n", " \"hostIdentifier\": \"object\",\n", " \"calendarTime\": \"object\",\n", " \"unixTime\": \"datetime64[ns]\",\n", " \"epoch\": \"int64\",\n", " \"counter\": \"int64\",\n", " \"numerics\": \"bool\",\n", " \"action\": \"object\",\n", " \"decorations_host_uuid\": \"object\",\n", " \"decorations_username\": \"object\",\n", " \"columns_uid\": \"object\",\n", " \"columns_username\": \"object\",\n", " \"columns_uuid\": \"object\",\n", " \"columns_time\": \"datetime64[ns]\",\n", " \"columns_command\": \"object\",\n", " \"columns_description\": \"object\",\n", " \"columns_directory\": \"object\",\n", " \"columns_gid\": \"object\",\n", " \"columns_gid_signed\": \"object\",\n", " \"columns_history_file\": \"object\",\n", " \"columns_shell\": \"object\",\n", " \"columns_uid_signed\": \"object\"\n", " }\n", "}\n" ] } ], "source": [ "print(json.dumps(qry_prov.schema, indent=2))" ] }, { "cell_type": "code", "execution_count": 6, "id": "9d42e2d3-1920-4f3a-882e-93521ed160c6", "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['file.deb_packages',\n", " 'file.fim',\n", " 'linux.deb_packages',\n", " 'linux.fim',\n", " 'linux.osquery_info',\n", " 'linux.outbound_connections',\n", " 'linux.process_binding_to_ports',\n", " 'linux.processes',\n", " 'linux.shell_history',\n", " 'network.outbound_connections',\n", " 'network.process_binding_to_ports',\n", " 'process.process_binding_to_ports',\n", " 'process.processes',\n", " 'shell.shell_history']" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "qry_prov.list_queries()" ] }, { "cell_type": "code", "execution_count": 7, "id": "9a399729-392a-4c5e-a959-ba50121403b4", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2min 44s, sys: 26.8 ms, total: 2min 44s\n", "Wall time: 2min 45s\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
namehostIdentifiercalendarTimeunixTimeepochcounternumericsactiondecorations_host_uuiddecorations_username...columns_actioncolumns_atimecolumns_categorycolumns_ctimecolumns_modecolumns_mtimecolumns_sha256columns_sizecolumns_target_pathcolumns_time
793fimHOSTNAMEFri Feb 3 11:52:32 2023 UTC167542515208FalseaddedF7E6787D-B2D8-4830-854E-33AF0A1338B8...DELETED1675425150roothome16754251500600167542515030306/root/.viminfo1675425150
\n", "

1 rows × 23 columns

\n", "
" ], "text/plain": [ " name hostIdentifier calendarTime unixTime epoch \\\n", "793 fim HOSTNAME Fri Feb 3 11:52:32 2023 UTC 1675425152 0 \n", "\n", " counter numerics action decorations_host_uuid \\\n", "793 8 False added F7E6787D-B2D8-4830-854E-33AF0A1338B8 \n", "\n", " decorations_username ... columns_action columns_atime columns_category \\\n", "793 ... DELETED 1675425150 roothome \n", "\n", " columns_ctime columns_mode columns_mtime columns_sha256 columns_size \\\n", "793 1675425150 0600 1675425150 30306 \n", "\n", " columns_target_path columns_time \n", "793 /root/.viminfo 1675425150 \n", "\n", "[1 rows x 23 columns]" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "%%time\n", "df_fim = qry_prov.linux.fim()\n", "df_fim.head(1)" ] }, { "cell_type": "code", "execution_count": 8, "id": "842678a3-b7d3-4698-94c2-62e61ef34d6b", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2min 46s, sys: 30.1 ms, total: 2min 46s\n", "Wall time: 2min 48s\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
namehostIdentifiercalendarTimeunixTimeepochcounternumericsactiondecorations_host_uuiddecorations_usernamecolumns_cmdlinecolumns_euidcolumns_namecolumns_parentcolumns_pathcolumns_pcmdlinecolumns_pidcolumns_uidcolumns_username
0pack_osquery-custom-pack2_processesHOSTNAMEFri Feb 3 06:28:25 2023 UTC16754057050876FalseremovedF7E6787D-B2D8-4830-854E-33AF0A1338B8/bin/sh /usr/local/scripts/audispd_report.sh102sudo54935sudo -u syslog /usr/local/scripts/audispd_repo...54940102syslog
\n", "
" ], "text/plain": [ " name hostIdentifier \\\n", "0 pack_osquery-custom-pack2_processes HOSTNAME \n", "\n", " calendarTime unixTime epoch counter numerics \\\n", "0 Fri Feb 3 06:28:25 2023 UTC 1675405705 0 876 False \n", "\n", " action decorations_host_uuid decorations_username \\\n", "0 removed F7E6787D-B2D8-4830-854E-33AF0A1338B8 \n", "\n", " columns_cmdline columns_euid columns_name \\\n", "0 /bin/sh /usr/local/scripts/audispd_report.sh 102 sudo \n", "\n", " columns_parent columns_path \\\n", "0 54935 \n", "\n", " columns_pcmdline columns_pid columns_uid \\\n", "0 sudo -u syslog /usr/local/scripts/audispd_repo... 54940 102 \n", "\n", " columns_username \n", "0 syslog " ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "%%time\n", "df_process = qry_prov.linux.processes()\n", "df_process.head(1)" ] }, { "cell_type": "code", "execution_count": 9, "id": "5609dda9-4072-4387-a633-a53fe515cdc8", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2min 43s, sys: 27.6 ms, total: 2min 43s\n", "Wall time: 2min 46s\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
namehostIdentifiercalendarTimeunixTimeepochcounternumericsactiondecorations_host_uuiddecorations_usernamecolumns_cmdlinecolumns_namecolumns_pathcolumns_pcmdlinecolumns_pidcolumns_usernamecolumns_local_portcolumns_md5columns_remote_addresscolumns_remote_port
90pack_osquery-custom-pack2_outbound_connectionsHOSTNAMEFri Feb 3 07:00:47 2023 UTC1675407647059FalseremovedF7E6787D-B2D8-4830-854E-33AF0A1338B8/usr/local/bin/prometheus --storage.tsdb.path=...prometheus/usr/local/bin/prometheus/sbin/init1510prometheus3440410.8.0.779100
\n", "
" ], "text/plain": [ " name hostIdentifier \\\n", "90 pack_osquery-custom-pack2_outbound_connections HOSTNAME \n", "\n", " calendarTime unixTime epoch counter numerics \\\n", "90 Fri Feb 3 07:00:47 2023 UTC 1675407647 0 59 False \n", "\n", " action decorations_host_uuid decorations_username \\\n", "90 removed F7E6787D-B2D8-4830-854E-33AF0A1338B8 \n", "\n", " columns_cmdline columns_name \\\n", "90 /usr/local/bin/prometheus --storage.tsdb.path=... prometheus \n", "\n", " columns_path columns_pcmdline columns_pid columns_username \\\n", "90 /usr/local/bin/prometheus /sbin/init 1510 prometheus \n", "\n", " columns_local_port columns_md5 columns_remote_address columns_remote_port \n", "90 34404 10.8.0.77 9100 " ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "%%time\n", "df_outbound_conn = qry_prov.linux.outbound_connections()\n", "df_outbound_conn.head(1)" ] }, { "cell_type": "code", "execution_count": null, "id": "3d0f7eeb-483b-474c-8ccf-98dc32e06a08", "metadata": {}, "outputs": [], "source": [] }, { "cell_type": "markdown", "id": "060be256-6d33-46e9-a070-bd6f91fe77ce", "metadata": {}, "source": [ "## Analysis examples" ] }, { "cell_type": "code", "execution_count": 10, "id": "d92ce32b-84bf-49c4-b16c-f3f4b345604e", "metadata": {}, "outputs": [], "source": [ "# https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html\n", "from msticpy.vis import process_tree\n", "from msticpy.transform.proc_tree_builder import OSQUERY_EVENT_SCH" ] }, { "cell_type": "code", "execution_count": 28, "id": "3f78f427-906b-433f-b41f-bc5d27738462", "metadata": {}, "outputs": [], "source": [ "p_tree_lx = process_tree.build_process_tree(df_process, schema=OSQUERY_EVENT_SCH)" ] }, { "cell_type": "code", "execution_count": 29, "id": "62b17e27-1f87-4a47-800d-39f0e359fd3b", "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", " \n", " Loading BokehJS ...\n", "
\n" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/javascript": [ "(function(root) {\n", " function now() {\n", " return new Date();\n", " }\n", "\n", " const force = true;\n", "\n", " if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n", " root._bokeh_onload_callbacks = [];\n", " root._bokeh_is_loading = undefined;\n", " }\n", "\n", "const JS_MIME_TYPE = 'application/javascript';\n", " const HTML_MIME_TYPE = 'text/html';\n", " const EXEC_MIME_TYPE = 'application/vnd.bokehjs_exec.v0+json';\n", " const CLASS_NAME = 'output_bokeh rendered_html';\n", "\n", " /**\n", " * Render data to the DOM node\n", " */\n", " function render(props, node) {\n", " const script = document.createElement(\"script\");\n", " node.appendChild(script);\n", " }\n", "\n", " /**\n", " * Handle when an output is cleared or removed\n", " */\n", " function handleClearOutput(event, handle) {\n", " const cell = handle.cell;\n", "\n", " const id = cell.output_area._bokeh_element_id;\n", " const server_id = cell.output_area._bokeh_server_id;\n", " // Clean up Bokeh references\n", " if (id != null && id in Bokeh.index) {\n", " Bokeh.index[id].model.document.clear();\n", " delete Bokeh.index[id];\n", " }\n", "\n", " if (server_id !== undefined) {\n", " // Clean up Bokeh references\n", " const cmd_clean = \"from bokeh.io.state import curstate; print(curstate().uuid_to_server['\" + server_id + \"'].get_sessions()[0].document.roots[0]._id)\";\n", " cell.notebook.kernel.execute(cmd_clean, {\n", " iopub: {\n", " output: function(msg) {\n", " const id = msg.content.text.trim();\n", " if (id in Bokeh.index) {\n", " Bokeh.index[id].model.document.clear();\n", " delete Bokeh.index[id];\n", " }\n", " }\n", " }\n", " });\n", " // Destroy server and session\n", " const cmd_destroy = \"import bokeh.io.notebook as ion; ion.destroy_server('\" + server_id + \"')\";\n", " cell.notebook.kernel.execute(cmd_destroy);\n", " }\n", " }\n", "\n", " /**\n", " * Handle when a new output is added\n", " */\n", " function handleAddOutput(event, handle) {\n", " const output_area = handle.output_area;\n", " const output = handle.output;\n", "\n", " // limit handleAddOutput to display_data with EXEC_MIME_TYPE content only\n", " if ((output.output_type != \"display_data\") || (!Object.prototype.hasOwnProperty.call(output.data, EXEC_MIME_TYPE))) {\n", " return\n", " }\n", "\n", " const toinsert = output_area.element.find(\".\" + CLASS_NAME.split(' ')[0]);\n", "\n", " if (output.metadata[EXEC_MIME_TYPE][\"id\"] !== undefined) {\n", " toinsert[toinsert.length - 1].firstChild.textContent = output.data[JS_MIME_TYPE];\n", " // store reference to embed id on output_area\n", " output_area._bokeh_element_id = output.metadata[EXEC_MIME_TYPE][\"id\"];\n", " }\n", " if (output.metadata[EXEC_MIME_TYPE][\"server_id\"] !== undefined) {\n", " const bk_div = document.createElement(\"div\");\n", " bk_div.innerHTML = output.data[HTML_MIME_TYPE];\n", " const script_attrs = bk_div.children[0].attributes;\n", " for (let i = 0; i < script_attrs.length; i++) {\n", " toinsert[toinsert.length - 1].firstChild.setAttribute(script_attrs[i].name, script_attrs[i].value);\n", " toinsert[toinsert.length - 1].firstChild.textContent = bk_div.children[0].textContent\n", " }\n", " // store reference to server id on output_area\n", " output_area._bokeh_server_id = output.metadata[EXEC_MIME_TYPE][\"server_id\"];\n", " }\n", " }\n", "\n", " function register_renderer(events, OutputArea) {\n", "\n", " function append_mime(data, metadata, element) {\n", " // create a DOM node to render to\n", " const toinsert = this.create_output_subarea(\n", " metadata,\n", " CLASS_NAME,\n", " EXEC_MIME_TYPE\n", " );\n", " this.keyboard_manager.register_events(toinsert);\n", " // Render to node\n", " const props = {data: data, metadata: metadata[EXEC_MIME_TYPE]};\n", " render(props, toinsert[toinsert.length - 1]);\n", " element.append(toinsert);\n", " return toinsert\n", " }\n", "\n", " /* Handle when an output is cleared or removed */\n", " events.on('clear_output.CodeCell', handleClearOutput);\n", " events.on('delete.Cell', handleClearOutput);\n", "\n", " /* Handle when a new output is added */\n", " events.on('output_added.OutputArea', handleAddOutput);\n", "\n", " /**\n", " * Register the mime type and append_mime function with output_area\n", " */\n", " OutputArea.prototype.register_mime_type(EXEC_MIME_TYPE, append_mime, {\n", " /* Is output safe? */\n", " safe: true,\n", " /* Index of renderer in `output_area.display_order` */\n", " index: 0\n", " });\n", " }\n", "\n", " // register the mime type if in Jupyter Notebook environment and previously unregistered\n", " if (root.Jupyter !== undefined) {\n", " const events = require('base/js/events');\n", " const OutputArea = require('notebook/js/outputarea').OutputArea;\n", "\n", " if (OutputArea.prototype.mime_types().indexOf(EXEC_MIME_TYPE) == -1) {\n", " register_renderer(events, OutputArea);\n", " }\n", " }\n", " if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n", " root._bokeh_timeout = Date.now() + 5000;\n", " root._bokeh_failed_load = false;\n", " }\n", "\n", " const NB_LOAD_WARNING = {'data': {'text/html':\n", " \"
\\n\"+\n", " \"

\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"

\\n\"+\n", " \"\\n\"+\n", " \"\\n\"+\n", " \"from bokeh.resources import INLINE\\n\"+\n", " \"output_notebook(resources=INLINE)\\n\"+\n", " \"\\n\"+\n", " \"
\"}};\n", "\n", " function display_loaded() {\n", " const el = document.getElementById(\"4115\");\n", " if (el != null) {\n", " el.textContent = \"BokehJS is loading...\";\n", " }\n", " if (root.Bokeh !== undefined) {\n", " if (el != null) {\n", " el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n", " }\n", " } else if (Date.now() < root._bokeh_timeout) {\n", " setTimeout(display_loaded, 100)\n", " }\n", " }\n", "\n", " function run_callbacks() {\n", " try {\n", " root._bokeh_onload_callbacks.forEach(function(callback) {\n", " if (callback != null)\n", " callback();\n", " });\n", " } finally {\n", " delete root._bokeh_onload_callbacks\n", " }\n", " console.debug(\"Bokeh: all callbacks have finished\");\n", " }\n", "\n", " function load_libs(css_urls, js_urls, callback) {\n", " if (css_urls == null) css_urls = [];\n", " if (js_urls == null) js_urls = [];\n", "\n", " root._bokeh_onload_callbacks.push(callback);\n", " if (root._bokeh_is_loading > 0) {\n", " console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n", " return null;\n", " }\n", " if (js_urls == null || js_urls.length === 0) {\n", " run_callbacks();\n", " return null;\n", " }\n", " console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n", " root._bokeh_is_loading = css_urls.length + js_urls.length;\n", "\n", " function on_load() {\n", " root._bokeh_is_loading--;\n", " if (root._bokeh_is_loading === 0) {\n", " console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n", " run_callbacks()\n", " }\n", " }\n", "\n", " function on_error(url) {\n", " console.error(\"failed to load \" + url);\n", " }\n", "\n", " for (let i = 0; i < css_urls.length; i++) {\n", " const url = css_urls[i];\n", " const element = document.createElement(\"link\");\n", " element.onload = on_load;\n", " element.onerror = on_error.bind(null, url);\n", " element.rel = \"stylesheet\";\n", " element.type = \"text/css\";\n", " element.href = url;\n", " console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n", " document.body.appendChild(element);\n", " }\n", "\n", " for (let i = 0; i < js_urls.length; i++) {\n", " const url = js_urls[i];\n", " const element = document.createElement('script');\n", " element.onload = on_load;\n", " element.onerror = on_error.bind(null, url);\n", " element.async = false;\n", " element.src = url;\n", " console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n", " document.head.appendChild(element);\n", " }\n", " };\n", "\n", " function inject_raw_css(css) {\n", " const element = document.createElement(\"style\");\n", " element.appendChild(document.createTextNode(css));\n", " document.body.appendChild(element);\n", " }\n", "\n", " const js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-mathjax-2.4.3.min.js\"];\n", " const css_urls = [];\n", "\n", " const inline_js = [ function(Bokeh) {\n", " Bokeh.set_log_level(\"info\");\n", " },\n", "function(Bokeh) {\n", " }\n", " ];\n", "\n", " function run_inline_js() {\n", " if (root.Bokeh !== undefined || force === true) {\n", " for (let i = 0; i < inline_js.length; i++) {\n", " inline_js[i].call(root, root.Bokeh);\n", " }\n", "if (force === true) {\n", " display_loaded();\n", " }} else if (Date.now() < root._bokeh_timeout) {\n", " setTimeout(run_inline_js, 100);\n", " } else if (!root._bokeh_failed_load) {\n", " console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n", " root._bokeh_failed_load = true;\n", " } else if (force !== true) {\n", " const cell = $(document.getElementById(\"4115\")).parents('.cell').data().cell;\n", " cell.output_area.append_execute_result(NB_LOAD_WARNING)\n", " }\n", " }\n", "\n", " if (root._bokeh_is_loading === 0) {\n", " console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n", " run_inline_js();\n", " } else {\n", " load_libs(css_urls, js_urls, function() {\n", " console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n", " run_inline_js();\n", " });\n", " }\n", "}(window));" ], "application/vnd.bokehjs_load.v0+json": "(function(root) {\n function now() {\n return new Date();\n }\n\n const force = true;\n\n if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n root._bokeh_onload_callbacks = [];\n root._bokeh_is_loading = undefined;\n }\n\n\n if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n root._bokeh_timeout = Date.now() + 5000;\n root._bokeh_failed_load = false;\n }\n\n const NB_LOAD_WARNING = {'data': {'text/html':\n \"
\\n\"+\n \"

\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"

\\n\"+\n \"\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"\\n\"+\n \"
\"}};\n\n function display_loaded() {\n const el = document.getElementById(\"4115\");\n if (el != null) {\n el.textContent = \"BokehJS is loading...\";\n }\n if (root.Bokeh !== undefined) {\n if (el != null) {\n el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n }\n } else if (Date.now() < root._bokeh_timeout) {\n setTimeout(display_loaded, 100)\n }\n }\n\n function run_callbacks() {\n try {\n root._bokeh_onload_callbacks.forEach(function(callback) {\n if (callback != null)\n callback();\n });\n } finally {\n delete root._bokeh_onload_callbacks\n }\n console.debug(\"Bokeh: all callbacks have finished\");\n }\n\n function load_libs(css_urls, js_urls, callback) {\n if (css_urls == null) css_urls = [];\n if (js_urls == null) js_urls = [];\n\n root._bokeh_onload_callbacks.push(callback);\n if (root._bokeh_is_loading > 0) {\n console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n return null;\n }\n if (js_urls == null || js_urls.length === 0) {\n run_callbacks();\n return null;\n }\n console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n root._bokeh_is_loading = css_urls.length + js_urls.length;\n\n function on_load() {\n root._bokeh_is_loading--;\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n run_callbacks()\n }\n }\n\n function on_error(url) {\n console.error(\"failed to load \" + url);\n }\n\n for (let i = 0; i < css_urls.length; i++) {\n const url = css_urls[i];\n const element = document.createElement(\"link\");\n element.onload = on_load;\n element.onerror = on_error.bind(null, url);\n element.rel = \"stylesheet\";\n element.type = \"text/css\";\n element.href = url;\n console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n document.body.appendChild(element);\n }\n\n for (let i = 0; i < js_urls.length; i++) {\n const url = js_urls[i];\n const element = document.createElement('script');\n element.onload = on_load;\n element.onerror = on_error.bind(null, url);\n element.async = false;\n element.src = url;\n console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n document.head.appendChild(element);\n }\n };\n\n function inject_raw_css(css) {\n const element = document.createElement(\"style\");\n element.appendChild(document.createTextNode(css));\n document.body.appendChild(element);\n }\n\n const js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-mathjax-2.4.3.min.js\"];\n const css_urls = [];\n\n const inline_js = [ function(Bokeh) {\n Bokeh.set_log_level(\"info\");\n },\nfunction(Bokeh) {\n }\n ];\n\n function run_inline_js() {\n if (root.Bokeh !== undefined || force === true) {\n for (let i = 0; i < inline_js.length; i++) {\n inline_js[i].call(root, root.Bokeh);\n }\nif (force === true) {\n display_loaded();\n }} else if (Date.now() < root._bokeh_timeout) {\n setTimeout(run_inline_js, 100);\n } else if (!root._bokeh_failed_load) {\n console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n root._bokeh_failed_load = true;\n } else if (force !== true) {\n const cell = $(document.getElementById(\"4115\")).parents('.cell').data().cell;\n cell.output_area.append_execute_result(NB_LOAD_WARNING)\n }\n }\n\n if (root._bokeh_is_loading === 0) {\n console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n run_inline_js();\n } else {\n load_libs(css_urls, js_urls, function() {\n console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n run_inline_js();\n });\n }\n}(window));" }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "\n", "
\n" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/javascript": [ "(function(root) {\n", " function embed_document(root) {\n", " const docs_json = {\"c12660ba-b162-49f5-856d-b9a411459056\":{\"defs\":[],\"roots\":{\"references\":[{\"attributes\":{\"children\":[{\"id\":\"4118\"},{\"id\":\"4194\"}]},\"id\":\"4237\",\"type\":\"Row\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4177\",\"type\":\"Text\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":0.1},\"id\":\"4174\",\"type\":\"Dodge\"},{\"attributes\":{},\"id\":\"4199\",\"type\":\"LinearScale\"},{\"attributes\":{},\"id\":\"4204\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4177\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4179\"},\"nonselection_glyph\":{\"id\":\"4178\"},\"view\":{\"id\":\"4181\"}},\"id\":\"4180\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4158\",\"type\":\"AllLabels\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4185\",\"type\":\"Text\"},{\"attributes\":{\"axis\":{\"id\":\"4207\"},\"coordinates\":null,\"dimension\":1,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"4210\",\"type\":\"Grid\"},{\"attributes\":{\"axis_line_color\":null,\"coordinates\":null,\"formatter\":{\"id\":\"4157\"},\"group\":null,\"major_label_policy\":{\"id\":\"4158\"},\"major_label_standoff\":0,\"major_tick_line_color\":\"navy\",\"ticker\":{\"id\":\"4134\"},\"visible\":false},\"id\":\"4133\",\"type\":\"LinearAxis\"},{\"attributes\":{},\"id\":\"4208\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4169\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4171\"},\"nonselection_glyph\":{\"id\":\"4170\"},\"view\":{\"id\":\"4173\"}},\"id\":\"4172\",\"type\":\"GlyphRenderer\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4173\",\"type\":\"CDSView\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4181\",\"type\":\"CDSView\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4186\",\"type\":\"Text\"},{\"attributes\":{\"axis_line_color\":null,\"coordinates\":null,\"formatter\":{\"id\":\"4160\"},\"group\":null,\"major_label_policy\":{\"id\":\"4161\"},\"major_label_standoff\":0,\"major_tick_line_color\":\"navy\",\"ticker\":{\"id\":\"4190\"},\"visible\":false},\"id\":\"4129\",\"type\":\"LinearAxis\"},{\"attributes\":{},\"id\":\"4125\",\"type\":\"LinearScale\"},{\"attributes\":{\"ticks\":[1,2]},\"id\":\"4192\",\"type\":\"FixedTicker\"},{\"attributes\":{},\"id\":\"4250\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"below\":[{\"id\":\"4129\"}],\"center\":[{\"id\":\"4132\"},{\"id\":\"4136\"},{\"id\":\"4164\"}],\"height\":700,\"left\":[{\"id\":\"4133\"}],\"outline_line_color\":null,\"renderers\":[{\"id\":\"4153\"},{\"id\":\"4172\"},{\"id\":\"4180\"},{\"id\":\"4188\"}],\"title\":{\"id\":\"4119\"},\"toolbar\":{\"id\":\"4141\"},\"toolbar_location\":\"above\",\"width\":900,\"x_range\":{\"id\":\"4121\"},\"x_scale\":{\"id\":\"4125\"},\"y_range\":{\"id\":\"4123\"},\"y_scale\":{\"id\":\"4127\"}},\"id\":\"4118\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{},\"id\":\"4212\",\"type\":\"WheelZoomTool\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4187\",\"type\":\"Text\"},{\"attributes\":{\"active_multi\":{\"id\":\"4232\"},\"tools\":[{\"id\":\"4211\"},{\"id\":\"4212\"},{\"id\":\"4213\"},{\"id\":\"4214\"},{\"id\":\"4215\"},{\"id\":\"4216\"},{\"id\":\"4232\"}]},\"id\":\"4218\",\"type\":\"Toolbar\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.2},\"height\":{\"value\":0.8},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4229\",\"type\":\"Rect\"},{\"attributes\":{\"overlay\":{\"id\":\"4217\"}},\"id\":\"4213\",\"type\":\"BoxZoomTool\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4227\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4229\"},\"nonselection_glyph\":{\"id\":\"4228\"},\"view\":{\"id\":\"4231\"}},\"id\":\"4230\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4211\",\"type\":\"PanTool\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":0.25},\"id\":\"4175\",\"type\":\"Dodge\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4231\",\"type\":\"CDSView\"},{\"attributes\":{},\"id\":\"4215\",\"type\":\"ResetTool\"},{\"attributes\":{\"overlay\":{\"id\":\"4233\"},\"x_range\":null,\"y_range\":{\"id\":\"4123\"}},\"id\":\"4232\",\"type\":\"RangeTool\"},{\"attributes\":{},\"id\":\"4251\",\"type\":\"AllLabels\"},{\"attributes\":{},\"id\":\"4127\",\"type\":\"LinearScale\"},{\"attributes\":{},\"id\":\"4214\",\"type\":\"SaveTool\"},{\"attributes\":{\"coordinates\":null,\"fill_alpha\":0.2,\"fill_color\":\"navy\",\"group\":null,\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[2,2],\"line_width\":0.5,\"syncable\":false},\"id\":\"4233\",\"type\":\"BoxAnnotation\"},{\"attributes\":{\"bottom_units\":\"screen\",\"coordinates\":null,\"fill_alpha\":0.5,\"fill_color\":\"lightgrey\",\"group\":null,\"left_units\":\"screen\",\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[4,4],\"line_width\":2,\"right_units\":\"screen\",\"syncable\":false,\"top_units\":\"screen\"},\"id\":\"4217\",\"type\":\"BoxAnnotation\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.1},\"height\":{\"value\":0.8},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4228\",\"type\":\"Rect\"},{\"attributes\":{\"range\":null,\"value\":-0.5},\"id\":\"4225\",\"type\":\"Dodge\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"text\":\"ProcessTree\"},\"id\":\"4119\",\"type\":\"Title\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4154\",\"type\":\"CDSView\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":1.75},\"id\":\"4148\",\"type\":\"Dodge\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4189\",\"type\":\"CDSView\"},{\"attributes\":{},\"id\":\"4137\",\"type\":\"ResetTool\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.2},\"height\":{\"value\":0.95},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4152\",\"type\":\"Rect\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":0.25},\"id\":\"4183\",\"type\":\"Dodge\"},{\"attributes\":{\"dimension\":\"height\"},\"id\":\"4140\",\"type\":\"WheelPanTool\"},{\"attributes\":{\"active_scroll\":{\"id\":\"4140\"},\"tools\":[{\"id\":\"4137\"},{\"id\":\"4138\"},{\"id\":\"4139\"},{\"id\":\"4140\"},{\"id\":\"4146\"}]},\"id\":\"4141\",\"type\":\"Toolbar\"},{\"attributes\":{\"coordinates\":null,\"group\":null},\"id\":\"4239\",\"type\":\"Title\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":-0.2},\"id\":\"4167\",\"type\":\"Dodge\"},{\"attributes\":{},\"id\":\"4195\",\"type\":\"DataRange1d\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":0.1},\"id\":\"4166\",\"type\":\"Dodge\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4170\",\"type\":\"Text\"},{\"attributes\":{\"coordinates\":null,\"formatter\":{\"id\":\"4247\"},\"group\":null,\"major_label_policy\":{\"id\":\"4248\"},\"ticker\":{\"id\":\"4208\"},\"visible\":false},\"id\":\"4207\",\"type\":\"LinearAxis\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.6},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"height\":{\"value\":0.8},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4227\",\"type\":\"Rect\"},{\"attributes\":{},\"id\":\"4248\",\"type\":\"AllLabels\"},{\"attributes\":{\"below\":[{\"id\":\"4203\"}],\"center\":[{\"id\":\"4206\"},{\"id\":\"4210\"}],\"height\":700,\"left\":[{\"id\":\"4207\"}],\"renderers\":[{\"id\":\"4230\"}],\"title\":{\"id\":\"4239\"},\"toolbar\":{\"id\":\"4218\"},\"toolbar_location\":null,\"width\":90,\"x_range\":{\"id\":\"4195\"},\"x_scale\":{\"id\":\"4199\"},\"y_range\":{\"id\":\"4197\"},\"y_scale\":{\"id\":\"4201\"}},\"id\":\"4194\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{},\"id\":\"4247\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"factors\":[\"unknown\",\"nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"apt.systemd.dai\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"/sbin/init\",\"kthreadd\"],\"palette\":[\"#440154\",\"#46317E\",\"#365A8C\",\"#277E8E\",\"#1EA087\",\"#49C16D\",\"#9DD93A\",\"#FDE724\"]},\"id\":\"4117\",\"type\":\"CategoricalColorMapper\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.1},\"height\":{\"value\":0.95},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4151\",\"type\":\"Rect\"},{\"attributes\":{\"data\":{\"EffectiveLogonId\":[0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"EffectiveLogonId_par\":{\"__ndarray__\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"IsBranch\":[false,false,false,false,false,false,false,false,false,false,false,false,false,false],\"IsLeaf\":[false,true,true,true,true,true,false,true,true,true,false,true,false,true],\"IsRoot\":[true,false,false,false,false,false,true,false,false,false,true,false,true,false],\"Level\":[1,2,2,2,2,2,1,2,2,2,1,2,1,2],\"NewProcessId_par\":[\"NaN\",\"2\",\"2\",\"2\",\"2\",\"2\",\"NaN\",\"54660\",\"54660\",\"54660\",\"NaN\",\"1\",\"NaN\",\"58994\"],\"Row\":[14,13,12,11,10,9,8,7,6,5,4,3,2,1],\"__cmd_line$$\":[\"nan\",\"\",\"\",\"\",\"\",\"\",\"nan\",\"sleep 5m\",\"sleep 5m\",\"sleep 5m\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held install\"],\"__proc_id$$\":[\"PID: 0x2\",\"PID: 0xe247\",\"PID: 0x96bb\",\"PID: 0xd371\",\"PID: 0xe3b0\",\"PID: 0xe3b3\",\"PID: 0xd584\",\"PID: 0xe317\",\"PID: 0xe317\",\"PID: 0xe645\",\"PID: 0x1\",\"PID: 0xe672\",\"PID: 0xe672\",\"PID: 0xe67f\"],\"__proc_name$$\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"init\",\"systemd\",\"apt.systemd.daily install\",\"apt.systemd.dai\"],\"action\":[\"NaN\",\"added\",\"removed\",\"removed\",\"added\",\"added\",\"NaN\",\"added\",\"removed\",\"added\",\"NaN\",\"added\",\"NaN\",\"added\"],\"calendarTime\":{\"__ndarray__\":\"AAAAAAAAAAAAgGj3X2F4QgCAI0FgYXhCAIAjQWBheEIAgCNBYGF4QgCAI0FgYXhCAAAAAAAAAAAAgGj3X2F4QgCAI0FgYXhCAIAjQWBheEIAAAAAAAAAAACAI0FgYXhCAAAAAAAAAAAAgCNBYGF4Qg==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"columns_cmdline\":[\"nan\",\"\",\"\",\"\",\"\",\"\",\"nan\",\"sleep 5m\",\"sleep 5m\",\"sleep 5m\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held install\"],\"columns_euid\":[\"NaN\",\"0\",\"0\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"NaN\",\"0\"],\"columns_name\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"/sbin/init\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"apt.systemd.dai\"],\"columns_name_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_parent\":[\"NaN\",\"2\",\"2\",\"2\",\"2\",\"2\",\"NaN\",\"54660\",\"54660\",\"54660\",\"NaN\",\"1\",\"NaN\",\"58994\"],\"columns_parent_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_path\":[\"NaN\",\"\",\"\",\"\",\"\",\"\",\"NaN\",\"\",\"\",\"\",\"NaN\",\"\",\"NaN\",\"\"],\"columns_pcmdline\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"columns_pid\":[\"2\",\"57927\",\"38587\",\"54129\",\"58288\",\"58291\",\"54660\",\"58135\",\"58135\",\"58949\",\"1\",\"58994\",\"58994\",\"59007\"],\"columns_pid_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_uid\":[\"NaN\",\"0\",\"0\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"NaN\",\"0\"],\"columns_username\":[\"NaN\",\"root\",\"root\",\"root\",\"root\",\"root\",\"NaN\",\"root\",\"root\",\"root\",\"NaN\",\"root\",\"NaN\",\"root\"],\"counter\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAHCLQAAAAAAAeItAAAAAAAB4i0AAAAAAAHiLQAAAAAAAeItAAAAAAAAA+H8AAAAAAHCLQAAAAAAAeItAAAAAAAB4i0AAAAAAAAD4fwAAAAAAeItAAAAAAAAA+H8AAAAAAHiLQA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"decorations_host_uuid\":[\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\"],\"decorations_username\":[\"NaN\",\"\",\"\",\"\",\"\",\"\",\"NaN\",\"\",\"\",\"\",\"NaN\",\"\",\"NaN\",\"\"],\"epoch\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fwAAAAAAAAAAAAAAAAAA+H8AAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"hostIdentifier\":[\"NaN\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\"],\"index\":[0,1,2,3,4,5,6,7,8,9,10,11,12,13],\"name\":[\"NaN\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\"],\"new_process_lc\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"/sbin/init\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"apt.systemd.dai\"],\"new_process_lc_par\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"numerics\":[\"NaN\",false,false,false,false,false,\"NaN\",false,false,false,\"NaN\",false,\"NaN\",false],\"parent_index\":[\"NaN\",\"10\",\"10\",\"10\",\"10\",\"10\",\"NaN\",\"11\",\"11\",\"11\",\"NaN\",\"12\",\"NaN\",\"13\"],\"parent_key\":[\"NaN\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"NaN\",\"/sbin/init|1|1970-01-01 00:00:00.000000\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install|58994|1970-01-01 00:00:00.000000\"],\"parent_proc_lc\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"path\":[\"10\",\"10/0\",\"10/2\",\"10/3\",\"10/5\",\"10/6\",\"11\",\"11/1\",\"11/4\",\"11/7\",\"12\",\"12/8\",\"13\",\"13/9\"],\"proc_key\":[\"unknown|2|1970-01-01 00:00:00.000000\",\"kthreadd|57927|2023-02-03 06:38:29.000000\",\"kthreadd|38587|2023-02-03 06:43:31.000000\",\"kthreadd|54129|2023-02-03 06:43:31.000000\",\"kthreadd|58288|2023-02-03 06:43:31.000000\",\"kthreadd|58291|2023-02-03 06:43:31.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"nextcloud-cron|58135|2023-02-03 06:38:29.000000\",\"nextcloud-cron|58135|2023-02-03 06:43:31.000000\",\"nextcloud-cron|58949|2023-02-03 06:43:31.000000\",\"/sbin/init|1|1970-01-01 00:00:00.000000\",\"systemd|58994|2023-02-03 06:43:31.000000\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install|58994|1970-01-01 00:00:00.000000\",\"apt.systemd.dai|59007|2023-02-03 06:43:31.000000\"],\"source_index\":[\"10\",\"0\",\"2\",\"3\",\"5\",\"6\",\"11\",\"1\",\"4\",\"7\",\"12\",\"8\",\"13\",\"9\"],\"source_index_par\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fw==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"timestamp_orig_par\":{\"__ndarray__\":\"/Knx0k1iQMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/Knx0k1iQMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8qfHSTWJAwwAAAAAAAAAA/Knx0k1iQMMAAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"unixTime\":{\"__ndarray__\":\"AAAAAAAA+H8AAED5KvfYQQAAwEQr99hBAADARCv32EEAAMBEK/fYQQAAwEQr99hBAAAAAAAA+H8AAED5KvfYQQAAwEQr99hBAADARCv32EEAAAAAAAD4fwAAwEQr99hBAAAAAAAA+H8AAMBEK/fYQQ==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]}},\"selected\":{\"id\":\"4163\"},\"selection_policy\":{\"id\":\"4162\"}},\"id\":\"4116\",\"type\":\"ColumnDataSource\"},{\"attributes\":{\"axis\":{\"id\":\"4133\"},\"coordinates\":null,\"dimension\":1,\"grid_line_color\":\"navy\",\"group\":null,\"ticker\":null,\"visible\":false},\"id\":\"4136\",\"type\":\"Grid\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4169\",\"type\":\"Text\"},{\"attributes\":{\"end\":15,\"start\":-1},\"id\":\"4197\",\"type\":\"Range1d\"},{\"attributes\":{\"callback\":null,\"formatters\":{\"@calendarTime\":\"datetime\"},\"renderers\":[{\"id\":\"4153\"}],\"tooltips\":[[\"Process\",\"@columns_name\"],[\"PID\",\"@columns_pid\"],[\"CmdLine\",\"@columns_cmdline\"],[\"SubjUser\",\"@columns_username\"],[\"SubjLgnId\",\"@None\"],[\"TgtLgnId\",\"@None\"],[\"Time\",\"@calendarTime{%F %T.%3N}\"]]},\"id\":\"4146\",\"type\":\"HoverTool\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"items\":[{\"id\":\"4165\"}],\"label_text_font_size\":\"7pt\",\"title\":\"columns_name\"},\"id\":\"4164\",\"type\":\"Legend\"},{\"attributes\":{\"end\":5,\"start\":1},\"id\":\"4121\",\"type\":\"Range1d\"},{\"attributes\":{},\"id\":\"4161\",\"type\":\"AllLabels\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":2.2},\"id\":\"4182\",\"type\":\"Dodge\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4178\",\"type\":\"Text\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4185\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4187\"},\"nonselection_glyph\":{\"id\":\"4186\"},\"view\":{\"id\":\"4189\"}},\"id\":\"4188\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4163\",\"type\":\"Selection\"},{\"attributes\":{\"ticks\":[1,2]},\"id\":\"4190\",\"type\":\"FixedTicker\"},{\"attributes\":{},\"id\":\"4138\",\"type\":\"SaveTool\"},{\"attributes\":{},\"id\":\"4162\",\"type\":\"UnionRenderers\"},{\"attributes\":{},\"id\":\"4134\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4150\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4152\"},\"nonselection_glyph\":{\"id\":\"4151\"},\"view\":{\"id\":\"4154\"}},\"id\":\"4153\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4201\",\"type\":\"LinearScale\"},{\"attributes\":{\"axis\":{\"id\":\"4129\"},\"coordinates\":null,\"grid_line_alpha\":0.1,\"grid_line_color\":\"navy\",\"group\":null,\"minor_grid_line_alpha\":0.1,\"minor_grid_line_color\":\"navy\",\"ticker\":{\"id\":\"4192\"}},\"id\":\"4132\",\"type\":\"Grid\"},{\"attributes\":{},\"id\":\"4157\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"coordinates\":null,\"formatter\":{\"id\":\"4250\"},\"group\":null,\"major_label_policy\":{\"id\":\"4251\"},\"ticker\":{\"id\":\"4204\"},\"visible\":false},\"id\":\"4203\",\"type\":\"LinearAxis\"},{\"attributes\":{\"end\":15,\"start\":-6},\"id\":\"4123\",\"type\":\"Range1d\"},{\"attributes\":{\"callback\":null},\"id\":\"4139\",\"type\":\"TapTool\"},{\"attributes\":{},\"id\":\"4216\",\"type\":\"HelpTool\"},{\"attributes\":{},\"id\":\"4160\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.4},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"height\":{\"value\":0.95},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4150\",\"type\":\"Rect\"},{\"attributes\":{\"label\":{\"field\":\"columns_name\"},\"renderers\":[{\"id\":\"4153\"}]},\"id\":\"4165\",\"type\":\"LegendItem\"},{\"attributes\":{\"axis\":{\"id\":\"4203\"},\"coordinates\":null,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"4206\",\"type\":\"Grid\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4179\",\"type\":\"Text\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4171\",\"type\":\"Text\"}],\"root_ids\":[\"4237\"]},\"title\":\"Bokeh Application\",\"version\":\"2.4.3\"}};\n", " const render_items = [{\"docid\":\"c12660ba-b162-49f5-856d-b9a411459056\",\"root_ids\":[\"4237\"],\"roots\":{\"4237\":\"716e8d74-a202-4002-89bb-314276d6b8b8\"}}];\n", " root.Bokeh.embed.embed_items_notebook(docs_json, render_items);\n", " }\n", " if (root.Bokeh !== undefined) {\n", " embed_document(root);\n", " } else {\n", " let attempts = 0;\n", " const timer = setInterval(function(root) {\n", " if (root.Bokeh !== undefined) {\n", " clearInterval(timer);\n", " embed_document(root);\n", " } else {\n", " attempts++;\n", " if (attempts > 100) {\n", " clearInterval(timer);\n", " console.log(\"Bokeh: ERROR: Unable to run BokehJS code because BokehJS library is missing\");\n", " }\n", " }\n", " }, 10, root)\n", " }\n", "})(window);" ], "application/vnd.bokehjs_exec.v0+json": "" }, "metadata": { "application/vnd.bokehjs_exec.v0+json": { "id": "4237" } }, "output_type": "display_data" }, { "data": { "text/plain": [ "(Figure(id='4118', ...), Row(id='4237', ...))" ] }, "execution_count": 29, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# partial tree - 10 processes only\n", "process_tree.plot_process_tree(data=df_process[50:60], legend_col=\"columns_name\")" ] }, { "cell_type": "code", "execution_count": null, "id": "5a932ecb-34c6-4bce-ab77-a59f00da0c1a", "metadata": {}, "outputs": [], "source": [] }, { "cell_type": "code", "execution_count": 12, "id": "af58a92f-f3a3-4fac-bd36-76656892bf0d", "metadata": {}, "outputs": [ { "data": { "text/plain": [ "name object\n", "hostIdentifier object\n", "calendarTime object\n", "unixTime int64\n", "epoch int64\n", "counter int64\n", "numerics bool\n", "action object\n", "decorations_host_uuid object\n", "decorations_username object\n", "columns_uid object\n", "columns_username object\n", "columns_md5 object\n", "columns_action object\n", "columns_atime object\n", "columns_category object\n", "columns_ctime object\n", "columns_mode object\n", "columns_mtime object\n", "columns_sha256 object\n", "columns_size object\n", "columns_target_path object\n", "columns_time object\n", "dtype: object" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# FIXME! schema correct above but not here. time columns not datetime64\n", "df_fim.dtypes" ] }, { "cell_type": "code", "execution_count": null, "id": "372595f5-49a2-4dc4-9024-7fa7a69f3244", "metadata": {}, "outputs": [], "source": [ "df_fim.mp_plot.timeline(\n", " title=\"FIM by action\",\n", " # group_by=\"columns.action\",\n", " # group_by=\"columns.username\",\n", " group_by=\"columns_target_path\", \n", " source_columns=[\"columns_username\", \"columns_action\", \"columns_category\", \"columns_target_path\"],\n", " time_column=\"columns_time\",\n", " legend=\"left\",\n", " height=200,\n", ")" ] }, { "cell_type": "code", "execution_count": null, "id": "86e105f2-bebb-46fd-a9c0-7fbfa3458400", "metadata": {}, "outputs": [], "source": [] }, { "cell_type": "code", "execution_count": null, "id": "b2d9ff6e-7569-471d-9d76-9c2f9b0decd9", "metadata": {}, "outputs": [], "source": [ "df_outbound_conn.mp_plot.matrix(x=\"columns_name\", y=\"columns_remote_address\", title=\"Process name vs remote address Interaction\")" ] }, { "cell_type": "code", "execution_count": null, "id": "03a5e9db-e3fe-4db2-ad92-65b82141c1a8", "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.10.9" } }, "nbformat": 4, "nbformat_minor": 5 }