beagle.nodes package¶

Submodules¶

beagle.nodes.alert module¶

class beagle.nodes.alert.Alert(alert_name: str = None, alert_data: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['alert_name', 'alert_data']¶

beagle.nodes.domain module¶

class beagle.nodes.domain.Domain(domain: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['domain']¶

class beagle.nodes.domain.URI(uri: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['uri']¶

uri_of = {}¶

beagle.nodes.edge module¶

beagle.nodes.file module¶

class beagle.nodes.file.File(host: str = None, file_path: str = None, file_name: str = None, full_path: str = None, extension: str = None, hashes: Optional[Dict[str, str]] = {})[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

hashes = {}¶

key_fields = ['host', 'full_path']¶

set_extension() → None[source]¶

beagle.nodes.ip_address module¶

class beagle.nodes.ip_address.IPAddress(ip_address: str = None, mac: str = None)[source]¶

Bases: beagle.nodes.node.Node

key_fields = ['ip_address']¶

beagle.nodes.node module¶

class beagle.nodes.node.Node[source]¶

Bases: object

Base Node class. Provides an interface which each Node must implement

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = []¶

merge_with(node: beagle.nodes.node.Node) → None[source]¶

Merge the current node with the destination node. After a call to merge_with the calling node will be updated with the information from the passed in node. This is similar to a dict update call.

Parameters:	node (Node) – The node to use to update the current node.
Raises:	`TypeError` – Passed in node does not represent the same entity represented by the current node.

to_dict() → Dict[str, Any][source]¶

Converts a Node object to a dictionary without its edge objects.

Returns:	A dict representation of a node.
Return type:	dict

Examples

Sample node:

class AnnotatedNode(Node):
    x: str
    y: int
    key_fields: List[str] = ["x", "y"]
    foo = defaultdict(str)

    def __init__(self, x: str, y: int):
        self.x = x
        self.y = y

    @property
    def _display(self) -> str:
        return self.x

>>> AnnotatedNode("1", 1).to_dict()
{"x": "1", "y": 1}

beagle.nodes.process module¶

class beagle.nodes.process.Process(host: str = None, process_id: int = None, user: str = None, process_image: str = None, process_image_path: str = None, process_path: str = None, command_line: str = None, hashes: Dict[str, str] = {})[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

get_file_node() → beagle.nodes.file.File[source]¶

hashes = {}¶

key_fields = ['host', 'process_id', 'process_image']¶

class beagle.nodes.process.SysMonProc(process_guid: str = None, *args, **kwargs)[source]¶

Bases: beagle.nodes.process.Process

A custom Process class which extends the regular one. Adds the unique Sysmon process_guid identifier.

key_fields = ['process_guid']¶

beagle.nodes.registry module¶

class beagle.nodes.registry.RegistryKey(host: str = None, hive: str = None, key_path: str = None, key: str = None, value: str = None, value_type: str = None)[source]¶

Bases: beagle.nodes.node.Node

key_fields = ['hive', 'key_path', 'key']¶

Module contents¶

class beagle.nodes.Node[source]¶

Bases: object

Base Node class. Provides an interface which each Node must implement

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = []¶

merge_with(node: beagle.nodes.node.Node) → None[source]¶

Merge the current node with the destination node. After a call to merge_with the calling node will be updated with the information from the passed in node. This is similar to a dict update call.

Parameters:	node (Node) – The node to use to update the current node.
Raises:	`TypeError` – Passed in node does not represent the same entity represented by the current node.

to_dict() → Dict[str, Any][source]¶

Converts a Node object to a dictionary without its edge objects.

Returns:	A dict representation of a node.
Return type:	dict

Examples

Sample node:

class AnnotatedNode(Node):
    x: str
    y: int
    key_fields: List[str] = ["x", "y"]
    foo = defaultdict(str)

    def __init__(self, x: str, y: int):
        self.x = x
        self.y = y

    @property
    def _display(self) -> str:
        return self.x

>>> AnnotatedNode("1", 1).to_dict()
{"x": "1", "y": 1}

class beagle.nodes.URI(uri: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['uri']¶

uri_of = {}¶

class beagle.nodes.Domain(domain: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['domain']¶

class beagle.nodes.File(host: str = None, file_path: str = None, file_name: str = None, full_path: str = None, extension: str = None, hashes: Optional[Dict[str, str]] = {})[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

hashes = {}¶

key_fields = ['host', 'full_path']¶

set_extension() → None[source]¶

class beagle.nodes.FileOf[source]¶: Bases: beagle.edges.edge.Edge

class beagle.nodes.IPAddress(ip_address: str = None, mac: str = None)[source]¶

Bases: beagle.nodes.node.Node

key_fields = ['ip_address']¶

class beagle.nodes.SysMonProc(process_guid: str = None, *args, **kwargs)[source]¶

Bases: beagle.nodes.process.Process

A custom Process class which extends the regular one. Adds the unique Sysmon process_guid identifier.

key_fields = ['process_guid']¶

class beagle.nodes.Process(host: str = None, process_id: int = None, user: str = None, process_image: str = None, process_image_path: str = None, process_path: str = None, command_line: str = None, hashes: Dict[str, str] = {})[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

get_file_node() → beagle.nodes.file.File[source]¶

hashes = {}¶

key_fields = ['host', 'process_id', 'process_image']¶

class beagle.nodes.RegistryKey(host: str = None, hive: str = None, key_path: str = None, key: str = None, value: str = None, value_type: str = None)[source]¶

Bases: beagle.nodes.node.Node

key_fields = ['hive', 'key_path', 'key']¶

class beagle.nodes.Alert(alert_name: str = None, alert_data: str = None)[source]¶

Bases: beagle.nodes.node.Node

edges¶

Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.

Returns:	[]
Return type:	List

key_fields = ['alert_name', 'alert_data']¶