beagle.nodes package¶
Submodules¶
beagle.nodes.alert module¶
-
class
beagle.nodes.alert.Alert(alert_name: str = None, alert_data: str = None)[source]¶ Bases:
beagle.nodes.node.Node-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
key_fields= ['alert_name', 'alert_data']¶
-
-
class
beagle.nodes.alert.AlertedOn[source]¶ Bases:
beagle.nodes.edge.Edge
beagle.nodes.domain module¶
-
class
beagle.nodes.domain.Domain(domain: str = None)[source]¶ Bases:
beagle.nodes.node.Node-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
key_fields= ['domain']¶
-
-
class
beagle.nodes.domain.ResolvesTo[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.domain.URI(uri: str = None)[source]¶ Bases:
beagle.nodes.node.Node-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
key_fields= ['uri']¶
-
uri_of= {}¶
-
-
class
beagle.nodes.domain.URIOf[source]¶ Bases:
beagle.nodes.edge.Edge
beagle.nodes.edge module¶
-
class
beagle.nodes.edge.Edge[source]¶ Bases:
objectThe base Edge class.
An edge simply stores metadata about interaction between two nodes. Each Edge object is simply meant to store the metadata on that Edge. For example, for a file write event, it may want to store the time of the write, and the contents written.
Since a write by Process A to File B may occur multiple times, all the properties stored on the edge must be arrays. When generating the graph, Beagle will either unpack all N properties into N edges or create a single edge with all the metadata. This will depend on the configuration for that run.
Examples
The below shows an Edge which represents a process launch. The edge contains a list of timestamps at which the parent process launched the child process:
class Launched(Edge): __name__ = "Launched" timestamp: int def __init__(self) -> None: super().__init__()
The edge would be used in the Process class as follows:
class Process(Node): ... # List of launched processes launched: DefaultDict["Process", Launched]
This would allow a process parent to add that it launched child at time 145:
>>> proc.launched[child].append(timestamp=145)
You can also add edges without explicitly adding data:
>>> proc.launched[child]
beagle.nodes.file module¶
-
class
beagle.nodes.file.CopiedTo[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.file.File(host: str = None, file_path: str = None, file_name: str = None, extension: str = None, hashes: Optional[Dict[str, str]] = {})[source]¶ Bases:
beagle.nodes.node.Node-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
hashes= {}¶
-
key_fields= ['host', 'full_path']¶
-
-
class
beagle.nodes.file.FileOf[source]¶ Bases:
beagle.nodes.edge.Edge
beagle.nodes.ip_address module¶
-
class
beagle.nodes.ip_address.IPAddress(ip_address: str = None)[source]¶ Bases:
beagle.nodes.node.Node-
key_fields= ['ip_address']¶
-
beagle.nodes.node module¶
-
class
beagle.nodes.node.Node[source]¶ Bases:
objectBase Node class. Provides an interface which each Node must implement
-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
key_fields= []¶
-
to_dict() → Dict[str, Any][source]¶ Converts a Node object to a dictionary without its edge objects.
Returns: A dict representation of a node. Return type: dict Examples
Sample node:
class AnnotatedNode(Node): x: str y: int key_fields: List[str] = ["x", "y"] foo = defaultdict(str) def __init__(self, x: str, y: int): self.x = x self.y = y @property def _display(self) -> str: return self.x
>>> AnnotatedNode("1", 1).to_dict() {"x": "1", "y": 1}
-
beagle.nodes.process module¶
-
class
beagle.nodes.process.Accessed[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.ChangedValue[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.ConnectedTo[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Copied[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.CreatedKey[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.DNSQueryFor[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Deleted[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.DeletedKey[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.DeletedValue[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.HTTPRequestTo[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Launched[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Loaded[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Process(host: str = None, process_id: int = None, user: str = None, process_image: str = None, process_image_path: str = None, command_line: str = None, hashes: Dict[str, str] = {})[source]¶ Bases:
beagle.nodes.node.Node-
edges¶ Returns an empty list, so that all nodes can have their edges iterated on, even if they have no outgoing edges.
Returns: [] Return type: List
-
hashes= {}¶
-
key_fields= ['host', 'process_id', 'process_image']¶
-
-
class
beagle.nodes.process.ReadKey[source]¶ Bases:
beagle.nodes.edge.Edge
-
class
beagle.nodes.process.Wrote[source]¶ Bases:
beagle.nodes.edge.Edge
beagle.nodes.registry module¶
-
class
beagle.nodes.registry.RegistryKey(host: str = None, hive: str = None, key_path: str = None, key: str = None, value: str = None, value_type: str = None)[source]¶ Bases:
beagle.nodes.node.Node-
key_fields= ['hive', 'key_path', 'key']¶
-