beagle.transformers package¶

Submodules¶

beagle.transformers.base_transformer module¶

class beagle.transformers.base_transformer.Transformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: object

Base Transformer class. This class implements a producer/consumer queue from the datasource to the transform() method. Producing the list of nodes is done via run()

Parameters:	datasource (DataSource) – The DataSource to get events from.

run() → List[beagle.nodes.node.Node][source]¶

Generates the list of nodes from the datasource.

This methods kicks off a producer/consumer queue. The producer grabs events one by one from the datasource by iterating over the events from the events generator. Each event is then sent to the transformer() function to be transformer into one or more Node objects.

Returns:	All Nodes created from the data source.
Return type:	List[Node]

to_graph(backend: Backend = <class 'beagle.backends.networkx.NetworkX'>, *args, **kwargs) → Any[source]¶

Graphs the nodes created by run(). If no backend is specific, the default used is NetworkX.

Parameters:	backend ([type], optional) – [description] (the default is NetworkX, which [default_description])
Returns:	[description]
Return type:	[type]

transform(event: dict) → Optional[Iterable[beagle.nodes.node.Node]][source]¶

beagle.transformers.evtx_transformer module¶

class beagle.transformers.evtx_transformer.WinEVTXTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

name = 'Win EVTX'¶

process_creation(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process][source]¶

Transformers a process creation (event ID 4688) into a set of nodes.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Optional[Tuple[Process, File, Process, File]]

transform()[source]¶

beagle.transformers.fireeye_ax_transformer module¶

class beagle.transformers.fireeye_ax_transformer.FireEyeAXTransformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

conn_events(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress][source]¶

Transforms a single connection event

Example event:

{
    "mode": "connect",
    "protocol_type": "tcp",
    "ipaddress": "199.168.199.123",
    "destination_port": 3333,
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

Parameters:	event (dict) – source dns_query event
Returns:	Process and its image, and the destination address
Return type:	Tuple[Process, File, IPAddress]

dns_events(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress]][source]¶

Transforms a single DNS event

Example event:

{
    "mode": "dns_query",
    "protocol_type": "udp",
    "hostname": "foobar",
    "qtype": "Host Address",
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

Optionally, if the event is “dns_query_answer”, we can also extract the response.

Parameters:	event (dict) – source dns_query event
Returns:	Process and its image, and the domain looked up
Return type:	Tuple[Process, File, Domain]

file_events(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File, beagle.nodes.file.File]][source]¶

Transforms a file event

Example file event:

{
    "mode": "created",
    "fid": { "ads": "", "content": 2533274790555891 },
    "processinfo": {
        "imagepath": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
        "md5sum": "eb32c070e658937aa9fa9f3ae629b2b8",
        "pid": 2956
    },
    "ntstatus": "0x0",
    "value": "C:\Users\admin\AppData\Local\Temp\sy24ttkc.k25.ps1",
    "CreateOptions": "0x400064",
    "timestamp": 9494
}

In 8.2.0 the value field became a dictionary when the mode is failed:

"values": {
    "value": "C:\Users\admin\AppData\Local\Temp\sy24ttkc.k25.ps1""
}

Parameters:	event (dict) – The source event
Returns:	The process, the process’ image, and the file written.
Return type:	Tuple[Process, File, File]

http_requests(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.URI, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.URI], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress]][source]¶

Transforms a single http_request network event. A typical event looks like:

{
    "mode": "http_request",
    "protocol_type": "tcp",
    "ipaddress": "199.168.199.1",
    "destination_port": 80,
    "processinfo": {
        "imagepath": "c:\Windows\System32\svchost.exe",
        "tainted": false,
        "md5sum": "1234",
        "pid": 1292
    },
    "http_request": "GET /some_route.crl HTTP/1.1~~Cache-Control: max-age = 900~~User-Agent: Microsoft-CryptoAPI/10.0~~Host: crl.microsoft.com~~~~",
    "timestamp": 433750
}

Parameters:	event (dict) – The source network event with mode http_request
Returns:	[description]
Return type:	Tuple[Node]

name = 'FireEye AX'¶

process_events(event: dict) → Optional[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Transformers events from the process entry.

A single process entry looks like:

{
    "mode": string,
    "fid": dict,
    "parentname": string,
    "cmdline": string,
    "sha1sum": "string,
    "md5sum": string,
    "sha256sum": string,
    "pid": int,
    "filesize": int,
    "value": string,
    "timestamp": int,
    "ppid": int
},

Parameters:	event (dict) – The input event.
Returns:	Parent and child processes, and the file nodes that represent their binaries.
Return type:	Optional[Tuple[Process, File, Process, File]]

regkey_events(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

Transforms a single registry key event

Example event:

{
    "mode": "queryvalue",
    "processinfo": {
        "imagepath": "C:\Users\admin\AppData\Local\Temp\bar.exe",
        "tainted": True,
        "md5sum": "....",
        "pid": 1700,
    },
    "value": "\REGISTRY\USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyOverride"",
    "timestamp": 6203
},

Parameters:	event (dict) – source regkey event
Returns:	Process and its image, and the registry key.
Return type:	Tuple[Process, File, RegistrKey]

transform()[source]¶

Transformers the various events from the AX Report class.

The only edge case is the network type, AX has multiple Nodes under one type when it comes to the network type. For example the following is a DNS event:

{
    "mode": "dns_query",
    "protocol_type": "udp",
    "hostname": "foobar",
    "qtype": "Host Address",
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

While the following is a TCP connection:

{
    "mode": "connect",
    "protocol_type": "tcp",
    "ipaddress": "192.168.199.123",
    "destination_port": 3333,
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "...",
        "pid": 3020
    },
    "timestamp": 28029
}

Both have the “network” event_type when coming from FireEyeAXReport

Parameters:	event (dict) – The current event to transform.
Returns:	Tuple of nodes extracted from the event.
Return type:	Optional[Tuple]

beagle.transformers.fireeye_hx_transformer module¶

class beagle.transformers.fireeye_hx_transformer.FireEyeHXTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

make_alert(event: dict) → Optional[Tuple[beagle.nodes.alert.Alert, ...]][source]¶

make_dnslookup(event: dict) → Optional[Tuple[beagle.nodes.domain.Domain, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a dnsLookupEvent into a Domain, Process, and Process’s File node.

Nodes: 1. Domain looked up.

Process performing the lookup.
File the Process was launched from.

Edges:

Process - (DNS Lookup For) -> Domain.
File - (FileOf) -> Process.

Parameters:	event (dict) – A dnsLookupEvent
Returns:	The Domain, Process, and File nodes.
Return type:	Optional[Tuple[Domain, Process, File]]

make_file(event: dict) → Optional[Tuple[beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a fileWriteEvent to two nodes, a file and the process manipulated the file. Generates a process - (Wrote) -> File edge.

Parameters:	event (dict) – The fileWriteEvent event.
Returns:	Returns a tuple contaning the File that this event is focused on, and the process which manipulated the file. The process has a Wrote edge to the file. Also contains the file that the process belongs to.
Return type:	Optional[Tuple[File, Process, File]]

make_imageload(event: dict) → Optional[Tuple[beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

make_network(event: dict) → Optional[Tuple[beagle.nodes.ip_address.IPAddress, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a network connection event into a Process, File and IP Address node.

Nodes:

IP Address communicated to.
Process contacting IP.
File process launched from.

Edges:

Process - (Connected To) -> IP Address
File - (File Of) -> Process

Parameters:	event (dict) – The ipv4NetworkEvent
Returns:	The IP Address, Process, and Process’s File object.
Return type:	Optional[Tuple[IPAddress, Process, File]]

make_process(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File], None][source]¶

Converts a processEvent into either one Process node, or two Process nodes with a parent - (Launched) -> child relationship. Additionally, creats File nodes for the images of both of the Processe’s identified.

Parameters:	event (dict) – The processEvent event
Returns:	Returns either a single process node, or a (parent, child) tuple where the parent has a launched edge to the child.
Return type:	Optional[Union[Tuple[Process, File], Tuple[Process, File, Process, File]]]

make_registry(event: dict) → Optional[Tuple[beagle.nodes.registry.RegistryKey, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

make_url(event: dict) → Optional[Tuple[beagle.nodes.domain.URI, beagle.nodes.domain.Domain, beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress]][source]¶

Converts a URL access event and returns 5 nodes with 4 different relationships.

Nodes created:

URI Accessed (e.g /foobar)
Domain Accessed (e.g omer.com)
Process performing URL request.
File object for the Process image.
IP Address the domain resolves to.

Relationships created:

URI - (URI Of) -> Domain
Domain - (Resolves To) -> IP Address
Process - (http method of event) -> URI
Process - (Connected To) -> IP Address
File - (File Of) -> Process

Parameters:	event (dict) – The urlMonitorEvent events
Returns:	5 tuple of the nodes pulled out of the event (see function description).
Return type:	Optional[Tuple[URI, Domain, Process, File, IPAddress]]

name = 'FireEye HX'¶

transform(event: dict) → Optional[Tuple[beagle.nodes.node.Node, ...]][source]¶

Sends each event from the FireEye HX Triage to the appropriate node creation function.

Parameters:	event (dict) – The source event from the HX Triage
Returns:	The results of the transforming function
Return type:	Optional[Tuple[Node, ..]]

beagle.transformers.generic_transformer module¶

class beagle.transformers.generic_transformer.GenericTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

This transformer will properly create graphs for any datasource that outputs data in the pre-defined schema.

make_alert(event: dict) → Tuple[beagle.nodes.alert.Alert, ...][source]¶

make_basic_file(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

Transforms a file based event.

Support events:

EventTypes.FILE_DELETED
EventTypes.FILE_OPENED
EventTypes.FILE_WRITTEN
EventTypes.LOADED_MODULE

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Tuple[Process, File, File]

make_basic_regkey(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

make_connection(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress][source]¶

make_dnslookup(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain]][source]¶

make_file_copy(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

make_http_req(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.URI, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.URI, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress]][source]¶

make_process(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

Accepts a process with the EventTypes.PROCESS_LAUNCHED event_type.

For example:

{
    FieldNames.PARENT_PROCESS_IMAGE: "cmd.exe",
    FieldNames.PARENT_PROCESS_IMAGE_PATH: "\",
    FieldNames.PARENT_PROCESS_ID: "2568",
    FieldNames.PARENT_COMMAND_LINE: '/K name.exe"',
    FieldNames.PROCESS_IMAGE: "find.exe",
    FieldNames.PROCESS_IMAGE_PATH: "\",
    FieldNames.COMMAND_LINE: 'find /i "svhost.exe"',
    FieldNames.PROCESS_ID: "3144",
    FieldNames.EVENT_TYPE: EventTypes.PROCESS_LAUNCHED,
}

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Tuple[Process, File, Process, File]

make_regkey_set_value(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

name = 'Generic'¶

transform()[source]¶

beagle.transformers.procmon_transformer module¶

class beagle.transformers.procmon_transformer.ProcmonTransformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

access_file(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

access_reg_key(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.registry.RegistryKey][source]¶

connection(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.ip_address.IPAddress][source]¶

name = 'Procmon'¶

process_create(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process][source]¶

transform()[source]¶

write_file(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

beagle.transformers.sysmon_transformer module¶

class beagle.transformers.sysmon_transformer.SysmonTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

dns_lookup(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain][source]¶

file_created(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

name = 'Sysmon'¶

network_connection(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.Domain]][source]¶

process_creation(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

registry_creation(event: dict) → Optional[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey]][source]¶

transform()[source]¶

Module contents¶

class beagle.transformers.Transformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: object

Base Transformer class. This class implements a producer/consumer queue from the datasource to the transform() method. Producing the list of nodes is done via run()

Parameters:	datasource (DataSource) – The DataSource to get events from.

run() → List[beagle.nodes.node.Node][source]¶

Generates the list of nodes from the datasource.

This methods kicks off a producer/consumer queue. The producer grabs events one by one from the datasource by iterating over the events from the events generator. Each event is then sent to the transformer() function to be transformer into one or more Node objects.

Returns:	All Nodes created from the data source.
Return type:	List[Node]

to_graph(backend: Backend = <class 'beagle.backends.networkx.NetworkX'>, *args, **kwargs) → Any[source]¶

Graphs the nodes created by run(). If no backend is specific, the default used is NetworkX.

Parameters:	backend ([type], optional) – [description] (the default is NetworkX, which [default_description])
Returns:	[description]
Return type:	[type]

transform(event: dict) → Optional[Iterable[beagle.nodes.node.Node]][source]¶

class beagle.transformers.WinEVTXTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

name = 'Win EVTX'¶

process_creation(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process][source]¶

Transformers a process creation (event ID 4688) into a set of nodes.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Optional[Tuple[Process, File, Process, File]]

transform()[source]¶

class beagle.transformers.FireEyeAXTransformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

conn_events(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress][source]¶

Transforms a single connection event

Example event:

{
    "mode": "connect",
    "protocol_type": "tcp",
    "ipaddress": "199.168.199.123",
    "destination_port": 3333,
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

Parameters:	event (dict) – source dns_query event
Returns:	Process and its image, and the destination address
Return type:	Tuple[Process, File, IPAddress]

dns_events(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress]][source]¶

Transforms a single DNS event

Example event:

{
    "mode": "dns_query",
    "protocol_type": "udp",
    "hostname": "foobar",
    "qtype": "Host Address",
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

Optionally, if the event is “dns_query_answer”, we can also extract the response.

Parameters:	event (dict) – source dns_query event
Returns:	Process and its image, and the domain looked up
Return type:	Tuple[Process, File, Domain]

file_events(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File, beagle.nodes.file.File]][source]¶

Transforms a file event

Example file event:

{
    "mode": "created",
    "fid": { "ads": "", "content": 2533274790555891 },
    "processinfo": {
        "imagepath": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
        "md5sum": "eb32c070e658937aa9fa9f3ae629b2b8",
        "pid": 2956
    },
    "ntstatus": "0x0",
    "value": "C:\Users\admin\AppData\Local\Temp\sy24ttkc.k25.ps1",
    "CreateOptions": "0x400064",
    "timestamp": 9494
}

In 8.2.0 the value field became a dictionary when the mode is failed:

"values": {
    "value": "C:\Users\admin\AppData\Local\Temp\sy24ttkc.k25.ps1""
}

Parameters:	event (dict) – The source event
Returns:	The process, the process’ image, and the file written.
Return type:	Tuple[Process, File, File]

http_requests(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.URI, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.URI], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress]][source]¶

Transforms a single http_request network event. A typical event looks like:

{
    "mode": "http_request",
    "protocol_type": "tcp",
    "ipaddress": "199.168.199.1",
    "destination_port": 80,
    "processinfo": {
        "imagepath": "c:\Windows\System32\svchost.exe",
        "tainted": false,
        "md5sum": "1234",
        "pid": 1292
    },
    "http_request": "GET /some_route.crl HTTP/1.1~~Cache-Control: max-age = 900~~User-Agent: Microsoft-CryptoAPI/10.0~~Host: crl.microsoft.com~~~~",
    "timestamp": 433750
}

Parameters:	event (dict) – The source network event with mode http_request
Returns:	[description]
Return type:	Tuple[Node]

name = 'FireEye AX'¶

process_events(event: dict) → Optional[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Transformers events from the process entry.

A single process entry looks like:

{
    "mode": string,
    "fid": dict,
    "parentname": string,
    "cmdline": string,
    "sha1sum": "string,
    "md5sum": string,
    "sha256sum": string,
    "pid": int,
    "filesize": int,
    "value": string,
    "timestamp": int,
    "ppid": int
},

Parameters:	event (dict) – The input event.
Returns:	Parent and child processes, and the file nodes that represent their binaries.
Return type:	Optional[Tuple[Process, File, Process, File]]

regkey_events(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

Transforms a single registry key event

Example event:

{
    "mode": "queryvalue",
    "processinfo": {
        "imagepath": "C:\Users\admin\AppData\Local\Temp\bar.exe",
        "tainted": True,
        "md5sum": "....",
        "pid": 1700,
    },
    "value": "\REGISTRY\USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyOverride"",
    "timestamp": 6203
},

Parameters:	event (dict) – source regkey event
Returns:	Process and its image, and the registry key.
Return type:	Tuple[Process, File, RegistrKey]

transform()[source]¶

Transformers the various events from the AX Report class.

The only edge case is the network type, AX has multiple Nodes under one type when it comes to the network type. For example the following is a DNS event:

{
    "mode": "dns_query",
    "protocol_type": "udp",
    "hostname": "foobar",
    "qtype": "Host Address",
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "....",
        "pid": 3020
    },
    "timestamp": 27648
}

While the following is a TCP connection:

{
    "mode": "connect",
    "protocol_type": "tcp",
    "ipaddress": "192.168.199.123",
    "destination_port": 3333,
    "processinfo": {
        "imagepath": "C:\ProgramData\bloop\some_proc.exe",
        "tainted": true,
        "md5sum": "...",
        "pid": 3020
    },
    "timestamp": 28029
}

Both have the “network” event_type when coming from FireEyeAXReport

Parameters:	event (dict) – The current event to transform.
Returns:	Tuple of nodes extracted from the event.
Return type:	Optional[Tuple]

class beagle.transformers.FireEyeHXTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

make_alert(event: dict) → Optional[Tuple[beagle.nodes.alert.Alert, ...]][source]¶

make_dnslookup(event: dict) → Optional[Tuple[beagle.nodes.domain.Domain, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a dnsLookupEvent into a Domain, Process, and Process’s File node.

Nodes: 1. Domain looked up.

Process performing the lookup.
File the Process was launched from.

Edges:

Process - (DNS Lookup For) -> Domain.
File - (FileOf) -> Process.

Parameters:	event (dict) – A dnsLookupEvent
Returns:	The Domain, Process, and File nodes.
Return type:	Optional[Tuple[Domain, Process, File]]

make_file(event: dict) → Optional[Tuple[beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a fileWriteEvent to two nodes, a file and the process manipulated the file. Generates a process - (Wrote) -> File edge.

Parameters:	event (dict) – The fileWriteEvent event.
Returns:	Returns a tuple contaning the File that this event is focused on, and the process which manipulated the file. The process has a Wrote edge to the file. Also contains the file that the process belongs to.
Return type:	Optional[Tuple[File, Process, File]]

make_imageload(event: dict) → Optional[Tuple[beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

make_network(event: dict) → Optional[Tuple[beagle.nodes.ip_address.IPAddress, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

Converts a network connection event into a Process, File and IP Address node.

Nodes:

IP Address communicated to.
Process contacting IP.
File process launched from.

Edges:

Process - (Connected To) -> IP Address
File - (File Of) -> Process

Parameters:	event (dict) – The ipv4NetworkEvent
Returns:	The IP Address, Process, and Process’s File object.
Return type:	Optional[Tuple[IPAddress, Process, File]]

make_process(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File], None][source]¶

Converts a processEvent into either one Process node, or two Process nodes with a parent - (Launched) -> child relationship. Additionally, creats File nodes for the images of both of the Processe’s identified.

Parameters:	event (dict) – The processEvent event
Returns:	Returns either a single process node, or a (parent, child) tuple where the parent has a launched edge to the child.
Return type:	Optional[Union[Tuple[Process, File], Tuple[Process, File, Process, File]]]

make_registry(event: dict) → Optional[Tuple[beagle.nodes.registry.RegistryKey, beagle.nodes.process.Process, beagle.nodes.file.File]][source]¶

make_url(event: dict) → Optional[Tuple[beagle.nodes.domain.URI, beagle.nodes.domain.Domain, beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress]][source]¶

Converts a URL access event and returns 5 nodes with 4 different relationships.

Nodes created:

URI Accessed (e.g /foobar)
Domain Accessed (e.g omer.com)
Process performing URL request.
File object for the Process image.
IP Address the domain resolves to.

Relationships created:

URI - (URI Of) -> Domain
Domain - (Resolves To) -> IP Address
Process - (http method of event) -> URI
Process - (Connected To) -> IP Address
File - (File Of) -> Process

Parameters:	event (dict) – The urlMonitorEvent events
Returns:	5 tuple of the nodes pulled out of the event (see function description).
Return type:	Optional[Tuple[URI, Domain, Process, File, IPAddress]]

name = 'FireEye HX'¶

transform(event: dict) → Optional[Tuple[beagle.nodes.node.Node, ...]][source]¶

Sends each event from the FireEye HX Triage to the appropriate node creation function.

Parameters:	event (dict) – The source event from the HX Triage
Returns:	The results of the transforming function
Return type:	Optional[Tuple[Node, ..]]

class beagle.transformers.GenericTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

This transformer will properly create graphs for any datasource that outputs data in the pre-defined schema.

make_alert(event: dict) → Tuple[beagle.nodes.alert.Alert, ...][source]¶

make_basic_file(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

Transforms a file based event.

Support events:

EventTypes.FILE_DELETED
EventTypes.FILE_OPENED
EventTypes.FILE_WRITTEN
EventTypes.LOADED_MODULE

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Tuple[Process, File, File]

make_basic_regkey(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

make_connection(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress][source]¶

make_dnslookup(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain]][source]¶

make_file_copy(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

make_http_req(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.URI, beagle.nodes.domain.Domain], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.URI, beagle.nodes.domain.Domain, beagle.nodes.ip_address.IPAddress]][source]¶

make_process(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

Accepts a process with the EventTypes.PROCESS_LAUNCHED event_type.

For example:

{
    FieldNames.PARENT_PROCESS_IMAGE: "cmd.exe",
    FieldNames.PARENT_PROCESS_IMAGE_PATH: "\",
    FieldNames.PARENT_PROCESS_ID: "2568",
    FieldNames.PARENT_COMMAND_LINE: '/K name.exe"',
    FieldNames.PROCESS_IMAGE: "find.exe",
    FieldNames.PROCESS_IMAGE_PATH: "\",
    FieldNames.COMMAND_LINE: 'find /i "svhost.exe"',
    FieldNames.PROCESS_ID: "3144",
    FieldNames.EVENT_TYPE: EventTypes.PROCESS_LAUNCHED,
}

Parameters:	event (dict) – [description]
Returns:	[description]
Return type:	Tuple[Process, File, Process, File]

make_regkey_set_value(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey][source]¶

name = 'Generic'¶

transform()[source]¶

class beagle.transformers.ProcmonTransformer(datasource: beagle.datasources.base_datasource.DataSource)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

access_file(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

access_reg_key(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.registry.RegistryKey][source]¶

connection(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.ip_address.IPAddress][source]¶

name = 'Procmon'¶

process_create(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process][source]¶

transform()[source]¶

write_file(event) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

class beagle.transformers.PCAPTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

name = 'PCAP'¶

transform(event: Dict) → Optional[Tuple[beagle.nodes.node.Node, ...]][source]¶

class beagle.transformers.SysmonTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

dns_lookup(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.domain.Domain][source]¶

file_created(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.file.File][source]¶

name = 'Sysmon'¶

network_connection(event: dict) → Union[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress], Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.ip_address.IPAddress, beagle.nodes.domain.Domain]][source]¶

process_creation(event: dict) → Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.process.Process, beagle.nodes.file.File][source]¶

registry_creation(event: dict) → Optional[Tuple[beagle.nodes.process.Process, beagle.nodes.file.File, beagle.nodes.registry.RegistryKey]][source]¶

transform()[source]¶

class beagle.transformers.DRAPATCTransformer(*args, **kwargs)[source]¶

Bases: beagle.transformers.base_transformer.Transformer

conn_events(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCProcess, beagle.transformers.darpa_tc_transformer.TCIPAddress][source]¶

execute_events(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCProcess, beagle.transformers.darpa_tc_transformer.TCProcess][source]¶

file_events(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCProcess, beagle.transformers.darpa_tc_transformer.TCFile][source]¶

make_addr(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCIPAddress][source]¶

make_file(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCFile][source]¶

make_process(event: dict) → Union[Tuple[beagle.transformers.darpa_tc_transformer.TCProcess], Tuple[beagle.transformers.darpa_tc_transformer.TCProcess, beagle.transformers.darpa_tc_transformer.TCProcess]][source]¶

make_registrykey(event: dict) → Tuple[beagle.transformers.darpa_tc_transformer.TCRegistryKey][source]¶

name = 'DARPA TC'¶

transform()[source]¶