marius/log2ml
1
0
Fork 0
mirror of https://github.com/norandom/log2ml.git synced 2024-10-22 18:35:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
24886d88e7
log2ml/2-5-automated-machine-learning-with-gp/TPOT_Foundations.ipynb

3605 lines
259 KiB
Plaintext
Raw Normal View History

automl with tpot example, not commented yet
2024-06-23 18:05:15 +00:00
{
"cells": [
{
"cell_type": "code",
"execution_count": null,
"id": "initial_id",
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"import requests\n",
"import pandas as pd\n",
"import json\n",
"\n",
"# Function to recursively normalize nested columns in a DataFrame\n",
"def recursively_normalize(data):\n",
" df = pd.json_normalize(data)\n",
" while True:\n",
" nested_cols = [col for col in df.columns if isinstance(df[col].iloc[0], (dict, list))]\n",
" if not nested_cols:\n",
" break\n",
" for col in nested_cols:\n",
" if isinstance(df[col].iloc[0], dict):\n",
" normalized = pd.json_normalize(df[col])\n",
" df = df.drop(columns=[col]).join(normalized)\n",
" elif isinstance(df[col].iloc[0], list):\n",
" df = df.explode(col)\n",
" normalized = pd.json_normalize(df[col])\n",
" df = df.drop(columns=[col]).join(normalized)\n",
" return df\n",
"\n",
"# Function to fetch the next batch using the cursor\n",
"def fetch_next_batch(cursor):\n",
" response = requests.post(\n",
" f\"{base_url}/_sql?format=json\",\n",
" headers={\"Content-Type\": \"application/json\"},\n",
" json={\"cursor\": cursor}\n",
" ).json()\n",
" return response\n",
"\n",
"# Elasticsearch base URL\n",
"base_url = \"http://192.168.20.106:9200\"\n",
"# Index name\n",
"index = \"winlogbeat-*\"\n",
"\n",
"from datetime import datetime, timedelta\n",
"\n",
"# Calculate the current time and the time one hour ago\n",
"current_time = datetime.utcnow()\n",
"one_hour_ago = current_time - timedelta(hours=1)\n",
"\n",
"# Format times in ISO8601 format as expected by Elasticsearch\n",
"current_time_iso = current_time.strftime('%Y-%m-%dT%H:%M:%SZ')\n",
"one_hour_ago_iso = one_hour_ago.strftime('%Y-%m-%dT%H:%M:%SZ')\n",
"\n",
"# SQL query with time filter\n",
"sql_query = f\"\"\"\n",
"SELECT \"@timestamp\", host.hostname, host.ip, log.level, winlog.event_id, winlog.task, message\n",
"FROM \"winlogbeat-7.10.0-2024.06.23-*\"\n",
"WHERE host.hostname = 'win10'\n",
"AND winlog.provider_name = 'Microsoft-Windows-Sysmon'\n",
"AND \"@timestamp\" >= '{one_hour_ago_iso}'\n",
"AND \"@timestamp\" <= '{current_time_iso}'\n",
"\"\"\"\n",
"\n",
"# Initial search request to start scrolling\n",
"initial_response = requests.post(\n",
" f\"{base_url}/_sql?format=json\",\n",
" headers={\"Content-Type\": \"application/json\"},\n",
" json={\n",
" \"query\": sql_query,\n",
" \"field_multi_value_leniency\": True\n",
" }\n",
").json()\n",
"\n",
"# Extract the cursor for scrolling\n",
"cursor = initial_response.get('cursor')\n",
"rows = initial_response.get('rows')\n",
"columns = [col['name'] for col in initial_response['columns']]\n",
"\n",
"# Initialize CSV file (assumes the first batch is not empty)\n",
"if rows:\n",
" df = pd.DataFrame(rows, columns=columns)\n",
" df = recursively_normalize(df.to_dict(orient='records'))\n",
" df.to_csv(\"lab_logs_blindtest_activity.csv\", mode='w', index=False, header=True)\n",
"\n",
"# Track total documents retrieved\n",
"total_documents_retrieved = len(rows)\n",
"print(f\"Retrieved {total_documents_retrieved} documents.\")\n",
"\n",
"# Loop to fetch subsequent batches of documents until no more documents are left\n",
"while cursor:\n",
" # Fetch next batch of documents using cursor\n",
" response = fetch_next_batch(cursor)\n",
" \n",
" # Update cursor for the next batch\n",
" cursor = response.get('cursor')\n",
" rows = response.get('rows')\n",
" \n",
" # If no rows, break out of the loop\n",
" if not rows:\n",
" break\n",
" \n",
" # Normalize data and append to CSV\n",
" df = pd.DataFrame(rows, columns=columns)\n",
" df = recursively_normalize(df.to_dict(orient='records'))\n",
" \n",
" # Append to CSV file without headers\n",
" df.to_csv(\"lab_logs_blindtest_activity.csv\", mode='a', index=False, header=False)\n",
" \n",
" # Convert DataFrame to JSON, line by line\n",
" json_lines = df.to_json(orient='records', lines=True).splitlines()\n",
" # Append each line to an existing JSON file\n",
" with open(\"lab_logs_blindtest_activity.json\", 'a') as file:\n",
" for line in json_lines:\n",
" file.write(line + '\\n') # Append each line and add a newline\n",
" \n",
" # Update total documents retrieved\n",
" total_documents_retrieved += len(rows)\n",
" \n",
" print(f\"Retrieved {total_documents_retrieved} documents.\")\n",
"\n",
"print(\"Files have been written.\")\n"
]
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:27:10.324996Z",
"start_time": "2024-06-23T14:27:10.066377Z"
}
},
"cell_type": "code",
"source": [
"import polars as pl\n",
"\n",
"# Define the path to your CSV file\n",
"csv_file_path = 'lab_logs_blindtest_activity.csv'\n",
"\n",
"# Load the CSV file into a DataFrame\n",
"df = pl.read_csv(csv_file_path)\n",
"\n",
"# Show the DataFrame to confirm it's loaded correctly\n",
"print(df)\n"
],
"id": "847862813f6a8c74",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"shape: (1_027, 7)\n",
"┌──────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┐\n",
"│ @timestamp ┆ host.hostna ┆ host.ip ┆ log.level ┆ winlog.even ┆ winlog.task ┆ message │\n",
"│ --- ┆ me ┆ --- ┆ --- ┆ t_id ┆ --- ┆ --- │\n",
"│ str ┆ --- ┆ str ┆ str ┆ --- ┆ str ┆ str │\n",
"│ ┆ str ┆ ┆ ┆ i64 ┆ ┆ │\n",
"╞══════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╡\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
"│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
"│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
"│ 7:42:03.820Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 13 ┆ Registry ┆ Registry │\n",
"│ 7:42:03.846Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ value set ┆ value set: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: … │\n",
"│ ┆ ┆ ┆ ┆ ┆ Regi… ┆ │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
"│ 7:42:03.864Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
"│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
"│ 8:35:53.050Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
"│ 8:35:53.125Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
"│ 8:35:56.448Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 22 ┆ Dns query ┆ Dns query: │\n",
"│ 8:37:46.518Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ DnsQuery) ┆ UtcTime… │\n",
"│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
"│ 8:37:54.182Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
"│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
"└──────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┘\n"
]
}
],
"execution_count": 2
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:27:15.761561Z",
"start_time": "2024-06-23T14:27:15.718703Z"
}
},
"cell_type": "code",
"source": [
"import polars as pl\n",
"\n",
"def remove_keyword_lines(batch, keywords):\n",
" def modify_line(line):\n",
" # Check each keyword; filter the line if the keyword is at the start followed by a colon\n",
" for keyword in keywords:\n",
" if line.startswith(f\"{keyword}:\"):\n",
" # Special handling for 'User' keyword\n",
" if keyword == 'User':\n",
" parts = line.split('\\\\')\n",
" if len(parts) > 1:\n",
" return f\"User: {parts[1]}\" # Only keep the part after the backslash\n",
" elif keyword == 'SourceHostname':\n",
" parts = line.split('.')\n",
" if len(parts) > 0:\n",
" return f\"{keyword}: {parts[0].split(': ')[1]}\" # Only keep the part before the first dot, remove keyword duplication\n",
" return None # For other keywords, remove the line altogether\n",
" return line # Return the line unchanged if no keyword conditions are met\n",
"\n",
" # Use map_elements to apply a function to each message in the batch\n",
" return batch.map_elements(lambda message: '\\n'.join(\n",
" filter(None, (modify_line(line) for line in message.split('\\n')))), \n",
" return_dtype=pl.Utf8)\n",
"\n",
"\n",
"\n",
"\n",
"# Define a list of keywords to filter out\n",
"keywords_to_filter = [\"UtcTime\", \"SourceProcessGUID\",\"ProcessGuid\", \"TargetProcessGUID\", \"TargetObject\", \"FileVersion\", \"Hashes\", \"LogonGuid\", \"LogonId\", \"CreationUtcTime\", \"User\", \"ParentProcessGuid\", \"SourceHostname\"]\n",
"\n",
"\n",
"# Load your DataFrame (assuming 'df' is already loaded)\n",
"# Apply the transformation to the 'message' column using map_batches\n",
"df_f = df.with_columns(\n",
" pl.col(\"message\").map_batches(lambda batch: remove_keyword_lines(batch, keywords_to_filter), return_dtype=pl.Utf8).alias(\"filtered_message\")\n",
")\n",
"\n",
"# Assuming df_f is your DataFrame with the 'filtered_message' column\n",
"# Fetch the first three rows from the 'filtered_message' column\n",
"first_messages = df_f[\"filtered_message\"].head(200)\n",
"\n",
"# Print each message completely\n",
"for i, message in enumerate(first_messages):\n",
" print(f\"Message {i+1}:\")\n",
" print(message)\n",
" print(\"-\" * 50) # Separator for readability\n"
],
"id": "fc93fe038bcb00c5",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Message 1:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 2:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 3:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5196\n",
"Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
"Description: Windows Modules Installer\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: TrustedInstaller.exe\n",
"CommandLine: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 824\n",
"ParentImage: C:\\Windows\\System32\\services.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
"--------------------------------------------------\n",
"Message 4:\n",
"Registry value set:\n",
"RuleName: Tamper-Winlogon\n",
"EventType: SetValue\n",
"ProcessId: 5196\n",
"Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
"Details: CreateSession\n",
"--------------------------------------------------\n",
"Message 5:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 6140\n",
"Image: C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe\n",
"Description: Windows Modules Installer Worker\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: TiWorker.exe\n",
"CommandLine: C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe -Embedding\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 1000\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n",
"--------------------------------------------------\n",
"Message 6:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 2036\n",
"Image: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\n",
"Description: Microsoft Edge Update\n",
"Product: Microsoft Edge Update\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: msedgeupdate.dll\n",
"CommandLine: \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /c\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 7:\n",
"Dns query:\n",
"RuleName: -\n",
"ProcessId: 3508\n",
"QueryName: ncc.avast.com\n",
"QueryStatus: 0\n",
"QueryResults: type: 5 ncc.avast.com.edgesuite.net;type: 5 a1488.dscd.akamai.net;::ffff:23.72.36.187;::ffff:23.72.36.112;\n",
"Image: C:\\Program Files\\Avast Software\\Avast\\aswToolsSvc.exe\n",
"--------------------------------------------------\n",
"Message 8:\n",
"Dns query:\n",
"RuleName: -\n",
"ProcessId: 4592\n",
"QueryName: ecs.office.com\n",
"QueryStatus: 0\n",
"QueryResults: type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;\n",
"Image: C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe\n",
"--------------------------------------------------\n",
"Message 9:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4492\n",
"Image: C:\\Windows\\System32\\taskhostw.exe\n",
"Description: Host Process for Windows Tasks\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: taskhostw.exe\n",
"CommandLine: taskhostw.exe\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 10:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 2788\n",
"Image: C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\n",
"Description: -\n",
"Product: -\n",
"Company: -\n",
"OriginalFileName: -\n",
"CommandLine: \"C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 11:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 6472\n",
"Image: C:\\Windows\\System32\\lpremove.exe\n",
"Description: MUI Language pack cleanup\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: lpremove.exe\n",
"CommandLine: \"C:\\Windows\\system32\\lpremove.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 12:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 6104\n",
"Image: C:\\Windows\\System32\\UsoClient.exe\n",
"Description: UsoClient\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: UsoClient\n",
"CommandLine: \"C:\\Windows\\system32\\usoclient.exe\" ReportPolicies\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 13:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 14:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 15:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 16:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 17:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4324\n",
"Image: C:\\Windows\\System32\\sc.exe\n",
"Description: Service Control Manager Configuration Tool\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: sc.exe\n",
"CommandLine: \"C:\\Windows\\system32\\sc.exe\" start w32time task_started\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: LOCAL SERVICE\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 18:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 19:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 20:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 21:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 22:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5828\n",
"Image: C:\\Windows\\System32\\taskhostw.exe\n",
"Description: Host Process for Windows Tasks\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: taskhostw.exe\n",
"CommandLine: taskhostw.exe\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: LOCAL SERVICE\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 23:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4996\n",
"Image: C:\\Windows\\System32\\rundll32.exe\n",
"Description: Windows host process (Rundll32)\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: RUNDLL32.EXE\n",
"CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\Windows.StateRepositoryClient.dll,StateRepositoryDoMaintenanceTasks\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 24:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5376\n",
"Image: C:\\Windows\\System32\\Defrag.exe\n",
"Description: Disk Defragmenter Module\n",
"Product: Windows Drive Optimizer\n",
"Company: Microsoft Corp.\n",
"OriginalFileName: Defrag.EXE\n",
"CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -c -h -o -$\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 25:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4240\n",
"Image: C:\\Windows\\System32\\dmclient.exe\n",
"Description: Microsoft Feedback SIUF Deployment Manager Client\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: dmclient.exe\n",
"CommandLine: \"C:\\Windows\\system32\\dmclient.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 26:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 27:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 28:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4980\n",
"Image: C:\\Windows\\System32\\tzsync.exe\n",
"Description: TimeZone Sync Task\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: tzsync.exe\n",
"CommandLine: \"C:\\Windows\\system32\\tzsync.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 29:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 1528\n",
"Image: C:\\Windows\\System32\\DiskSnapshot.exe\n",
"Description: DiskSnapshot.exe\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: DiskSnapshot.exe\n",
"CommandLine: \"C:\\Windows\\system32\\disksnapshot.exe\" -z\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 30:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 2384\n",
"Image: C:\\Windows\\System32\\rundll32.exe\n",
"Description: Windows host process (Rundll32)\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: RUNDLL32.EXE\n",
"CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" Windows.Storage.ApplicationData.dll,CleanupTemporaryState\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 31:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5156\n",
"Image: C:\\Windows\\System32\\dstokenclean.exe\n",
"Description: Data Sharing Service Maintenance Driver\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: dstokenclean.exe\n",
"CommandLine: \"C:\\Windows\\system32\\dstokenclean.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 32:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 33:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 34:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5632\n",
"Image: C:\\Windows\\System32\\svchost.exe\n",
"Description: Host Process for Windows Services\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: svchost.exe\n",
"CommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wisvc\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 824\n",
"ParentImage: C:\\Windows\\System32\\services.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
"--------------------------------------------------\n",
"Message 35:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 2388\n",
"Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe\n",
"Description: Microsoft .NET Framework optimization service\n",
"Product: Microsoft® .NET Framework\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: NGenTask.exe\n",
"CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:480\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 4492\n",
"ParentImage: C:\\Windows\\System32\\taskhostw.exe\n",
"ParentCommandLine: taskhostw.exe\n",
"--------------------------------------------------\n",
"Message 36:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 6460\n",
"Image: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe\n",
"Description: Microsoft .NET Framework optimization service\n",
"Product: Microsoft® .NET Framework\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: NGenTask.exe\n",
"CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:1132\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 4492\n",
"ParentImage: C:\\Windows\\System32\\taskhostw.exe\n",
"ParentCommandLine: taskhostw.exe\n",
"--------------------------------------------------\n",
"Message 37:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 38:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 39:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4292\n",
"Image: C:\\Windows\\System32\\svchost.exe\n",
"Description: Host Process for Windows Services\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: svchost.exe\n",
"CommandLine: C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 824\n",
"ParentImage: C:\\Windows\\System32\\services.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
"--------------------------------------------------\n",
"Message 40:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 41:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 42:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 43:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 44:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 45:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 46:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 47:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1096\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 48:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4196\n",
"Image: C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe\n",
"Description: Speech Model Download Executable\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: SpeechModelDownload.exe\n",
"CommandLine: \"C:\\Windows\\system32\\speech_onecore\\common\\SpeechModelDownload.exe\"\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: NETWORK SERVICE\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 49:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5472\n",
"Image: C:\\Windows\\System32\\taskhostw.exe\n",
"Description: Host Process for Windows Tasks\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: taskhostw.exe\n",
"CommandLine: taskhostw.exe -IntegrityCheck\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 50:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 3320\n",
"Image: C:\\Windows\\System32\\rundll32.exe\n",
"Description: Windows host process (Rundll32)\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: RUNDLL32.EXE\n",
"CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 51:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 52:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 53:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 54:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 55:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 56:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 57:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 1184\n",
"Image: C:\\Windows\\System32\\WinSAT.exe\n",
"Description: Windows System Assessment Tool\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: WinSAT.exe\n",
"CommandLine: \"C:\\Windows\\system32\\winsat.exe\" disk -wsswap\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 3320\n",
"ParentImage: C:\\Windows\\System32\\rundll32.exe\n",
"ParentCommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n",
"--------------------------------------------------\n",
"Message 58:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 3720\n",
"Image: C:\\Windows\\System32\\Defrag.exe\n",
"Description: Disk Defragmenter Module\n",
"Product: Windows Drive Optimizer\n",
"Company: Microsoft Corp.\n",
"OriginalFileName: Defrag.EXE\n",
"CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -p 8a4 -s 0000000000000160 -b -OnlyPreferred C:\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2212\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain\n",
"--------------------------------------------------\n",
"Message 59:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 60:\n",
"Process accessed:\n",
"RuleName: -\n",
"SourceProcessId: 1072\n",
"SourceThreadId: 1132\n",
"SourceImage: C:\\Windows\\system32\\svchost.exe\n",
"TargetProcessId: 872\n",
"TargetImage: C:\\Windows\\system32\\lsass.exe\n",
"GrantedAccess: 0x1000\n",
"CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
"--------------------------------------------------\n",
"Message 61:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\previous\\squirrel.exe\n",
"--------------------------------------------------\n",
"Message 62:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 63:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 08/28/2020 18:31:14\n",
"--------------------------------------------------\n",
"Message 64:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 1.10.54.0\n",
"--------------------------------------------------\n",
"Message 65:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\stage\\squirrel.exe\n",
"--------------------------------------------------\n",
"Message 66:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 67:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 08/15/2022 18:11:47\n",
"--------------------------------------------------\n",
"Message 68:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 3.3.0.0\n",
"--------------------------------------------------\n",
"Message 69:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n",
"--------------------------------------------------\n",
"Message 70:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 71:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 02/03/2022 01:00:13\n",
"--------------------------------------------------\n",
"Message 72:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 3.0.1.0\n",
"--------------------------------------------------\n",
"Message 73:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\teams.exe\n",
"--------------------------------------------------\n",
"Message 74:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 75:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 04/21/2020 14:21:06\n",
"--------------------------------------------------\n",
"Message 76:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 1.3.0.28779\n",
"--------------------------------------------------\n",
"Message 77:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\update.exe\n",
"--------------------------------------------------\n",
"Message 78:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 79:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 08/28/2020 18:31:14\n",
"--------------------------------------------------\n",
"Message 80:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 1.10.54.0\n",
"--------------------------------------------------\n",
"Message 81:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: Microsoft Corporation\n",
"--------------------------------------------------\n",
"Message 82:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\cookie_exporter.exe\n",
"--------------------------------------------------\n",
"Message 83:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 84:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 85:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 86:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\elevation_service.exe\n",
"--------------------------------------------------\n",
"Message 87:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 88:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 89:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 90:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\identity_helper.exe\n",
"--------------------------------------------------\n",
"Message 91:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 92:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 93:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 94:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n",
"--------------------------------------------------\n",
"Message 95:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 96:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 97:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 98:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge.exe\n",
"--------------------------------------------------\n",
"Message 99:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 100:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 101:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 102:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedgewebview2.exe\n",
"--------------------------------------------------\n",
"Message 103:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 104:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 105:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 106:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_proxy.exe\n",
"--------------------------------------------------\n",
"Message 107:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 108:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 109:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 110:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n",
"--------------------------------------------------\n",
"Message 111:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 112:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 113:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 114:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\notification_helper.exe\n",
"--------------------------------------------------\n",
"Message 115:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 116:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 117:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 118:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\pwahelper.exe\n",
"--------------------------------------------------\n",
"Message 119:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 120:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 121:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 122:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\installer\\setup.exe\n",
"--------------------------------------------------\n",
"Message 123:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 124:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 125:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 126:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: Microsoft Corporation\n",
"--------------------------------------------------\n",
"Message 127:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n",
"--------------------------------------------------\n",
"Message 128:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 129:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 08/28/2020 18:31:14\n",
"--------------------------------------------------\n",
"Message 130:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 1.10.54.0\n",
"--------------------------------------------------\n",
"Message 131:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\cookie_exporter.exe\n",
"--------------------------------------------------\n",
"Message 132:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 133:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 134:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 135:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\elevation_service.exe\n",
"--------------------------------------------------\n",
"Message 136:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 137:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 138:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 139:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\identity_helper.exe\n",
"--------------------------------------------------\n",
"Message 140:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 141:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 142:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 143:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n",
"--------------------------------------------------\n",
"Message 144:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 145:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 146:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 147:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge.exe\n",
"--------------------------------------------------\n",
"Message 148:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 149:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 150:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 151:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedgewebview2.exe\n",
"--------------------------------------------------\n",
"Message 152:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 153:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 154:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 155:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_proxy.exe\n",
"--------------------------------------------------\n",
"Message 156:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 157:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 158:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 159:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n",
"--------------------------------------------------\n",
"Message 160:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 161:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 162:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 163:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_click_helper.exe\n",
"--------------------------------------------------\n",
"Message 164:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 165:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 166:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 167:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_helper.exe\n",
"--------------------------------------------------\n",
"Message 168:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 169:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 170:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 171:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\pwahelper.exe\n",
"--------------------------------------------------\n",
"Message 172:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 173:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 174:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 175:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\installer\\setup.exe\n",
"--------------------------------------------------\n",
"Message 176:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 177:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 06/19/2024 23:34:22\n",
"--------------------------------------------------\n",
"Message 178:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 126.0.2592.68\n",
"--------------------------------------------------\n",
"Message 179:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: Microsoft Corporation\n",
"--------------------------------------------------\n",
"Message 180:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedrivesetup.exe\n",
"--------------------------------------------------\n",
"Message 181:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 182:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 04/29/2042 07:55:35\n",
"--------------------------------------------------\n",
"Message 183:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 21.220.1024.5\n",
"--------------------------------------------------\n",
"Message 184:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedriveupdaterservice.exe\n",
"--------------------------------------------------\n",
"Message 185:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 186:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 01/30/2009 20:46:00\n",
"--------------------------------------------------\n",
"Message 187:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 21.220.1024.5\n",
"--------------------------------------------------\n",
"Message 188:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: Microsoft Corporation\n",
"--------------------------------------------------\n",
"Message 189:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 5488\n",
"Image: C:\\Windows\\System32\\taskhostw.exe\n",
"Description: Host Process for Windows Tasks\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: taskhostw.exe\n",
"CommandLine: taskhostw.exe\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 190:\n",
"Process Create:\n",
"RuleName: -\n",
"ProcessId: 4728\n",
"Image: C:\\Windows\\System32\\SrTasks.exe\n",
"Description: Microsoft® Windows System Protection background tasks.\n",
"Product: Microsoft® Windows® Operating System\n",
"Company: Microsoft Corporation\n",
"OriginalFileName: srtasks.exe\n",
"CommandLine: \"C:\\Windows\\system32\\srtasks.exe\" ExecuteScheduledSPPCreation\n",
"CurrentDirectory: C:\\Windows\\system32\\\n",
"User: SYSTEM\n",
"TerminalSessionId: 0\n",
"IntegrityLevel: System\n",
"ParentProcessId: 2024\n",
"ParentImage: C:\\Windows\\System32\\svchost.exe\n",
"ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
"--------------------------------------------------\n",
"Message 191:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filecoauth.exe\n",
"--------------------------------------------------\n",
"Message 192:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 193:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 09/04/1976 00:39:52\n",
"--------------------------------------------------\n",
"Message 194:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 21.220.1024.5\n",
"--------------------------------------------------\n",
"Message 195:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesyncconfig.exe\n",
"--------------------------------------------------\n",
"Message 196:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n",
"Message 197:\n",
"Registry value set:\n",
"RuleName: InvDB-CompileTimeClaim\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 02/11/2005 13:45:08\n",
"--------------------------------------------------\n",
"Message 198:\n",
"Registry value set:\n",
"RuleName: InvDB-Ver\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: 21.220.1024.5\n",
"--------------------------------------------------\n",
"Message 199:\n",
"Registry value set:\n",
"RuleName: InvDB-Path\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesynchelper.exe\n",
"--------------------------------------------------\n",
"Message 200:\n",
"Registry value set:\n",
"RuleName: InvDB-Pub\n",
"EventType: SetValue\n",
"ProcessId: 2156\n",
"Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
"Details: microsoft corporation\n",
"--------------------------------------------------\n"
]
}
],
"execution_count": 3
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:27:52.793229Z",
"start_time": "2024-06-23T14:27:52.788792Z"
}
},
"cell_type": "code",
"source": [
"# Assuming df_f is your modified DataFrame with all necessary columns including 'filtered_message'\n",
"# Select specific columns from the DataFrame\n",
"selected_columns_df = df_f.select([\"log.level\", \"winlog.event_id\", \"winlog.task\",\"filtered_message\"])\n",
"\n",
"# Write the selected columns to a CSV file\n",
"selected_columns_df.write_csv('lab_logs_blindtest_activity_filtered.csv')\n"
],
"id": "ff54936e81a933fd",
"outputs": [],
"execution_count": 5
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:27:53.905616Z",
"start_time": "2024-06-23T14:27:53.898061Z"
}
},
"cell_type": "code",
"source": "selected_columns_df.head(5)",
"id": "da3c38ca8c474ba",
"outputs": [
{
"data": {
"text/plain": [
"shape: (5, 4)\n",
"┌─────────────┬─────────────────┬─────────────────────────────────┬─────────────────────┐\n",
"│ log.level ┆ winlog.event_id ┆ winlog.task ┆ filtered_message │\n",
"│ --- ┆ --- ┆ --- ┆ --- │\n",
"│ str ┆ i64 ┆ str ┆ str │\n",
"╞═════════════╪═════════════════╪═════════════════════════════════╪═════════════════════╡\n",
"│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n",
"│ ┆ ┆ ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ … │\n",
"│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n",
"│ ┆ ┆ ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ … │\n",
"│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n",
"│ ┆ ┆ ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ Pr… │\n",
"│ information ┆ 13 ┆ Registry value set (rule: Regi… ┆ Registry value set: │\n",
"│ ┆ ┆ ┆ RuleName: … │\n",
"│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n",
"│ ┆ ┆ ┆ RuleName: - │\n",
"│ ┆ ┆ ┆ Pr… │\n",
"└─────────────┴─────────────────┴─────────────────────────────────┴─────────────────────┘"
],
"text/html": [
"<div><style>\n",
".dataframe > thead > tr,\n",
".dataframe > tbody > tr {\n",
" text-align: right;\n",
" white-space: pre-wrap;\n",
"}\n",
"</style>\n",
"<small>shape: (5, 4)</small><table border=\"1\" class=\"dataframe\"><thead><tr><th>log.level</th><th>winlog.event_id</th><th>winlog.task</th><th>filtered_message</th></tr><tr><td>str</td><td>i64</td><td>str</td><td>str</td></tr></thead><tbody><tr><td>&quot;information&quot;</td><td>10</td><td>&quot;Process accessed (rule: Proces…</td><td>&quot;Process accessed:\n",
"RuleName: -\n",
"…</td></tr><tr><td>&quot;information&quot;</td><td>10</td><td>&quot;Process accessed (rule: Proces…</td><td>&quot;Process accessed:\n",
"RuleName: -\n",
"…</td></tr><tr><td>&quot;information&quot;</td><td>1</td><td>&quot;Process Create (rule: ProcessC…</td><td>&quot;Process Create:\n",
"RuleName: -\n",
"Pr…</td></tr><tr><td>&quot;information&quot;</td><td>13</td><td>&quot;Registry value set (rule: Regi…</td><td>&quot;Registry value set:\n",
"RuleName: …</td></tr><tr><td>&quot;information&quot;</td><td>1</td><td>&quot;Process Create (rule: ProcessC…</td><td>&quot;Process Create:\n",
"RuleName: -\n",
"Pr…</td></tr></tbody></table></div>"
]
},
"execution_count": 6,
"metadata": {},
"output_type": "execute_result"
}
],
"execution_count": 6
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:18.658902Z",
"start_time": "2024-06-23T14:28:18.654894Z"
}
},
"cell_type": "code",
"source": [
"# Assuming 'selected_columns_df' is your existing DataFrame\n",
"# Create an index series directly\n",
"index_series = pl.Series(\"index\", range(selected_columns_df.height))\n",
"\n",
"# Insert the index series as the first column using the recommended method\n",
"selected_columns_df = selected_columns_df.insert_column(0, index_series)\n",
"\n",
"# Write the DataFrame to a CSV file, including the new index column\n",
"selected_columns_df.write_csv('lab_logs_blindtest_activity_filtered.csv')\n"
],
"id": "35cd4cc645761608",
"outputs": [],
"execution_count": 7
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T13:45:49.429720Z",
"start_time": "2024-06-23T13:43:42.591856Z"
}
},
"cell_type": "code",
"source": "%conda install numpy scipy scikit-learn pandas joblib pytorch",
"id": "b3f6a7f89fb1f92e",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Retrieving notices: ...working... done\r\n",
"Channels:\r\n",
" - defaults\r\n",
" - conda-forge\r\n",
"Platform: osx-64\r\n",
"Collecting package metadata (repodata.json): done\r\n",
"Solving environment: done\r\n",
"\r\n",
"## Package Plan ##\r\n",
"\r\n",
" environment location: /Users/mc/anaconda3\r\n",
"\r\n",
" added / updated specs:\r\n",
" - joblib\r\n",
" - numpy\r\n",
" - pandas\r\n",
" - pytorch\r\n",
" - scikit-learn\r\n",
" - scipy\r\n",
"\r\n",
"\r\n",
"The following packages will be downloaded:\r\n",
"\r\n",
" package | build\r\n",
" ---------------------------|-----------------\r\n",
" joblib-1.4.2 | py311hecd8cb5_0 532 KB\r\n",
" openpyxl-3.1.2 | py311h6c40b1e_0 644 KB\r\n",
" pandas-2.2.2 | py311he327ffe_0 14.9 MB\r\n",
" pytorch-2.3.0 |cpu_py311hfffa08c_0 61.7 MB\r\n",
" ------------------------------------------------------------\r\n",
" Total: 77.7 MB\r\n",
"\r\n",
"The following NEW packages will be INSTALLED:\r\n",
"\r\n",
" gmp pkgs/main/osx-64::gmp-6.2.1-he9d5cce_3 \r\n",
" gmpy2 pkgs/main/osx-64::gmpy2-2.1.2-py311h1c2e9e1_0 \r\n",
" mpc pkgs/main/osx-64::mpc-1.1.0-h6ef4df4_1 \r\n",
" mpfr pkgs/main/osx-64::mpfr-4.0.2-h9066e36_1 \r\n",
" mpmath pkgs/main/osx-64::mpmath-1.3.0-py311hecd8cb5_0 \r\n",
" numexpr pkgs/main/osx-64::numexpr-2.8.7-py311h91b6869_0 \r\n",
" pandas pkgs/main/osx-64::pandas-2.2.2-py311he327ffe_0 \r\n",
" pytorch pkgs/main/osx-64::pytorch-2.3.0-cpu_py311hfffa08c_0 \r\n",
" sympy pkgs/main/osx-64::sympy-1.12-py311hecd8cb5_0 \r\n",
"\r\n",
"The following packages will be UPDATED:\r\n",
"\r\n",
" joblib 1.2.0-py311hecd8cb5_0 --> 1.4.2-py311hecd8cb5_0 \r\n",
" openpyxl 3.0.10-py311h6c40b1e_0 --> 3.1.2-py311h6c40b1e_0 \r\n",
"\r\n",
"\r\n",
"\r\n",
"Downloading and Extracting Packages:\r\n",
"pytorch-2.3.0 | 61.7 MB | | 0% \r\n",
"pandas-2.2.2 | 14.9 MB | | 0% \u001B[A\r\n",
"\r\n",
"openpyxl-3.1.2 | 644 KB | | 0% \u001B[A\u001B[A\r\n",
"\r\n",
"\r\n",
"joblib-1.4.2 | 532 KB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
"\r\n",
"openpyxl-3.1.2 | 644 KB | 9 | 2% \u001B[A\u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | | 0% \u001B[A\r\n",
"\r\n",
"\r\n",
"pytorch-2.3.0 | 61.7 MB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
"\r\n",
"openpyxl-3.1.2 | 644 KB | ########2 | 22% \u001B[A\u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | 3 | 1% \u001B[A\r\n",
"\r\n",
"\r\n",
"pytorch-2.3.0 | 61.7 MB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
"\r\n",
"openpyxl-3.1.2 | 644 KB | #####################1 | 57% \u001B[A\u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | 7 | 2% \u001B[A\r\n",
"\r\n",
"\r\n",
"pytorch-2.3.0 | 61.7 MB | 1 | 0% \u001B[A\u001B[A\u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | #1 | 3% \u001B[A\r\n",
"\r\n",
"openpyxl-3.1.2 | 644 KB | ################################1 | 87% \u001B[A\u001B[A\r\n",
"\r\n",
"\r\n",
"pytorch-2.3.0 | 61.7 MB | 2 | 1% \u001B[A\u001B[A\u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | 4 | 1% \u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | ###4 | 9% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | 6 | 2% \u001B[A\r\n",
"\r\n",
"\r\n",
"joblib-1.4.2 | 532 KB | ##################################### | 100% \u001B[A\u001B[A\u001B[A\r\n",
"\r\n",
"\r\n",
"joblib-1.4.2 | 532 KB | ##################################### | 100% \u001B[A\u001B[A\u001B[A\r\n",
"\r\n",
"pytorch-2.3.0 | 61.7 MB | 7 | 2% \u001B[A\u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | 8 | 2% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #1 | 3% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #3 | 4% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #4 | 4% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #9 | 5% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ##1 | 6% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ##4 | 7% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ##8 | 8% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ### | 8% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ###4 | 9% \u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | ######################## | 65% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #### | 11% \u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | ############################# | 78% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ####5 | 12% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #####1 | 14% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | #####3 | 15% \u001B[A\r\n",
"pytorch-2.3.0 | 61.7 MB | ############1 | 33% \u001B[A\r\n",
"pandas-2.2.2 | 14.9 MB | ##################################### | 100% \u001B[A\r\n",
" \u001B[A\r\n",
" \u001B[A\r\n",
"\r\n",
" \u001B[A\u001B[A\r\n",
"\r\n",
"\r\n",
" \u001B[A\u001B[A\u001B[A\r\n",
"Preparing transaction: done\r\n",
"Verifying transaction: done\r\n",
"Executing transaction: done\r\n",
"\n",
"Note: you may need to restart the kernel to use updated packages.\n"
]
}
],
"execution_count": 62
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T13:56:10.774237Z",
"start_time": "2024-06-23T13:55:53.417184Z"
}
},
"cell_type": "code",
"source": "%pip install deap update_checker tqdm stopit xgboost",
"id": "47de32d351fad54f",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Collecting deap\r\n",
" Downloading deap-1.4.1.tar.gz (1.1 MB)\r\n",
"\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m1.1/1.1 MB\u001B[0m \u001B[31m3.3 MB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m00:01\u001B[0m00:01\u001B[0m0m\r\n",
"\u001B[?25h Preparing metadata (setup.py) ... \u001B[?25ldone\r\n",
"\u001B[?25hCollecting update_checker\r\n",
" Downloading update_checker-0.18.0-py3-none-any.whl.metadata (2.3 kB)\r\n",
"Requirement already satisfied: tqdm in /Users/mc/anaconda3/lib/python3.11/site-packages (4.65.0)\r\n",
"Collecting stopit\r\n",
" Downloading stopit-1.1.2.tar.gz (18 kB)\r\n",
" Preparing metadata (setup.py) ... \u001B[?25ldone\r\n",
"\u001B[?25hRequirement already satisfied: xgboost in /Users/mc/anaconda3/lib/python3.11/site-packages (2.0.3)\r\n",
"Requirement already satisfied: numpy in /Users/mc/anaconda3/lib/python3.11/site-packages (from deap) (1.26.4)\r\n",
"Requirement already satisfied: requests>=2.3.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from update_checker) (2.31.0)\r\n",
"Requirement already satisfied: scipy in /Users/mc/anaconda3/lib/python3.11/site-packages (from xgboost) (1.10.0)\r\n",
"Requirement already satisfied: charset-normalizer<4,>=2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2.0.4)\r\n",
"Requirement already satisfied: idna<4,>=2.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (3.4)\r\n",
"Requirement already satisfied: urllib3<3,>=1.21.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2.0.7)\r\n",
"Requirement already satisfied: certifi>=2017.4.17 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2024.6.2)\r\n",
"Downloading update_checker-0.18.0-py3-none-any.whl (7.0 kB)\r\n",
"Building wheels for collected packages: deap, stopit\r\n",
" Building wheel for deap (setup.py) ... \u001B[?25ldone\r\n",
"\u001B[?25h Created wheel for deap: filename=deap-1.4.1-cp311-cp311-macosx_10_9_x86_64.whl size=104125 sha256=f96288a3d78b5805d248bd7b3b208fde1cc034141a602688c3fda474dd70351f\r\n",
" Stored in directory: /Users/mc/Library/Caches/pip/wheels/f8/64/b8/65eacfbff3024ae2e2beb22e691d5c8abb89fbd863b8049b5f\r\n",
" Building wheel for stopit (setup.py) ... \u001B[?25ldone\r\n",
"\u001B[?25h Created wheel for stopit: filename=stopit-1.1.2-py3-none-any.whl size=11939 sha256=97f0cca9a0cd37dfe9b6f44dd8ab496a305c15a23e1b1f61fb45480eb31d7968\r\n",
" Stored in directory: /Users/mc/Library/Caches/pip/wheels/da/77/2d/adbc56bc4db95ad80c6d4e71cd69e2d9d122174904342e3f7f\r\n",
"Successfully built deap stopit\r\n",
"Installing collected packages: stopit, deap, update_checker\r\n",
"Successfully installed deap-1.4.1 stopit-1.1.2 update_checker-0.18.0\r\n",
"Note: you may need to restart the kernel to use updated packages.\n"
]
}
],
"execution_count": 63
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:01:04.898242Z",
"start_time": "2024-06-23T14:00:53.155446Z"
}
},
"cell_type": "code",
"source": "%pip install tpot",
"id": "737d462c559936e2",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Collecting tpot\r\n",
" Downloading TPOT-0.12.2-py3-none-any.whl.metadata (2.0 kB)\r\n",
"Requirement already satisfied: numpy>=1.16.3 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.26.4)\r\n",
"Requirement already satisfied: scipy>=1.3.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.10.0)\r\n",
"Collecting scikit-learn>=1.4.1 (from tpot)\r\n",
" Downloading scikit_learn-1.5.0-cp311-cp311-macosx_10_9_x86_64.whl.metadata (11 kB)\r\n",
"Requirement already satisfied: deap>=1.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.4.1)\r\n",
"Requirement already satisfied: update-checker>=0.16 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (0.18.0)\r\n",
"Requirement already satisfied: tqdm>=4.36.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (4.65.0)\r\n",
"Requirement already satisfied: stopit>=1.1.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.1.2)\r\n",
"Requirement already satisfied: pandas>=0.24.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (2.2.2)\r\n",
"Requirement already satisfied: joblib>=0.13.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.4.2)\r\n",
"Requirement already satisfied: xgboost>=1.1.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (2.0.3)\r\n",
"Requirement already satisfied: python-dateutil>=2.8.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2.8.2)\r\n",
"Requirement already satisfied: pytz>=2020.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2023.3.post1)\r\n",
"Requirement already satisfied: tzdata>=2022.7 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2023.3)\r\n",
"Collecting threadpoolctl>=3.1.0 (from scikit-learn>=1.4.1->tpot)\r\n",
" Downloading threadpoolctl-3.5.0-py3-none-any.whl.metadata (13 kB)\r\n",
"Requirement already satisfied: requests>=2.3.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from update-checker>=0.16->tpot) (2.31.0)\r\n",
"Requirement already satisfied: six>=1.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from python-dateutil>=2.8.2->pandas>=0.24.2->tpot) (1.16.0)\r\n",
"Requirement already satisfied: charset-normalizer<4,>=2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2.0.4)\r\n",
"Requirement already satisfied: idna<4,>=2.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (3.4)\r\n",
"Requirement already satisfied: urllib3<3,>=1.21.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2.0.7)\r\n",
"Requirement already satisfied: certifi>=2017.4.17 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2024.6.2)\r\n",
"Downloading TPOT-0.12.2-py3-none-any.whl (87 kB)\r\n",
"\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m87.4/87.4 kB\u001B[0m \u001B[31m800.0 kB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m\u001B[36m0:00:01\u001B[0m0m\r\n",
"\u001B[?25hDownloading scikit_learn-1.5.0-cp311-cp311-macosx_10_9_x86_64.whl (12.1 MB)\r\n",
"\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m12.1/12.1 MB\u001B[0m \u001B[31m6.9 MB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m00:01\u001B[0m00:01\u001B[0m\r\n",
"\u001B[?25hDownloading threadpoolctl-3.5.0-py3-none-any.whl (18 kB)\r\n",
"Installing collected packages: threadpoolctl, scikit-learn, tpot\r\n",
" Attempting uninstall: threadpoolctl\r\n",
" Found existing installation: threadpoolctl 2.2.0\r\n",
" Uninstalling threadpoolctl-2.2.0:\r\n",
" Successfully uninstalled threadpoolctl-2.2.0\r\n",
" Attempting uninstall: scikit-learn\r\n",
" Found existing installation: scikit-learn 1.1.3\r\n",
" Uninstalling scikit-learn-1.1.3:\r\n",
" Successfully uninstalled scikit-learn-1.1.3\r\n",
"\u001B[31mERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.\r\n",
"orange3 3.36.2 requires scikit-learn!=1.2.*,<1.4,>=1.1.0, but you have scikit-learn 1.5.0 which is incompatible.\u001B[0m\u001B[31m\r\n",
"\u001B[0mSuccessfully installed scikit-learn-1.5.0 threadpoolctl-3.5.0 tpot-0.12.2\r\n",
"Note: you may need to restart the kernel to use updated packages.\n"
]
}
],
"execution_count": 65
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:38.433594Z",
"start_time": "2024-06-23T14:28:27.080547Z"
}
},
"cell_type": "code",
"source": [
"import os\n",
"os.environ[\"KMP_DUPLICATE_LIB_OK\"] = \"TRUE\"\n",
"\n",
"import polars as pl\n",
"import re\n",
"from transformers import BertTokenizer, BertModel\n",
"import torch\n",
"from tpot import TPOTClassifier\n",
"from sklearn.model_selection import train_test_split\n",
"from sklearn.preprocessing import LabelEncoder"
],
"id": "ae96e41f08c7908b",
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/Users/mc/anaconda3/lib/python3.11/site-packages/transformers/utils/generic.py:260: UserWarning: torch.utils._pytree._register_pytree_node is deprecated. Please use torch.utils._pytree.register_pytree_node instead.\n",
" torch.utils._pytree._register_pytree_node(\n"
]
}
],
"execution_count": 8
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:38.439369Z",
"start_time": "2024-06-23T14:28:38.435669Z"
}
},
"cell_type": "code",
"source": [
"# Extract relevant information using regular expressions\n",
"def extract_info(text):\n",
" image = re.search(r\"Image: (.*?\\.exe)\", text, re.IGNORECASE)\n",
" target_filename = re.search(r\"TargetFilename: (.*?\\.exe)\", text, re.IGNORECASE)\n",
" return {\n",
" \"image\": image.group(1) if image else \"\",\n",
" \"target_filename\": target_filename.group(1) if target_filename else \"\",\n",
" \"text\": text\n",
" }"
],
"id": "5cecd995c579cd0f",
"outputs": [],
"execution_count": 9
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:38.453982Z",
"start_time": "2024-06-23T14:28:38.440333Z"
}
},
"cell_type": "code",
"source": [
"# Apply extraction to the Polars DataFrame using map_elements\n",
"selected_columns_df = selected_columns_df.with_columns(\n",
" pl.col(\"filtered_message\").map_elements(lambda x: extract_info(x), return_dtype=pl.Object).alias(\"extracted_info\")\n",
")"
],
"id": "c2f84d1d644f9111",
"outputs": [],
"execution_count": 10
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:38.462528Z",
"start_time": "2024-06-23T14:28:38.456183Z"
}
},
"cell_type": "code",
"source": [
"# Extract fields from the extracted_info column using map_elements with return_dtype\n",
"selected_columns_df = selected_columns_df.with_columns(\n",
" pl.col(\"extracted_info\").map_elements(lambda x: x['image'], return_dtype=pl.Utf8).alias(\"image\"),\n",
" pl.col(\"extracted_info\").map_elements(lambda x: x['target_filename'], return_dtype=pl.Utf8).alias(\"target_filename\"),\n",
" pl.col(\"extracted_info\").map_elements(lambda x: x['text'], return_dtype=pl.Utf8).alias(\"text\")\n",
").drop(\"extracted_info\")"
],
"id": "b4c8e805cdb9b634",
"outputs": [],
"execution_count": 11
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:38.467734Z",
"start_time": "2024-06-23T14:28:38.463610Z"
}
},
"cell_type": "code",
"source": "print(selected_columns_df)",
"id": "c700056897cc8dd8",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"shape: (1_027, 8)\n",
"┌───────┬────────────┬────────────┬────────────┬────────────┬────────────┬────────────┬────────────┐\n",
"│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ filtered_m ┆ image ┆ target_fil ┆ text │\n",
"│ --- ┆ --- ┆ nt_id ┆ k ┆ essage ┆ --- ┆ ename ┆ --- │\n",
"│ i64 ┆ str ┆ --- ┆ --- ┆ --- ┆ str ┆ --- ┆ str │\n",
"│ ┆ ┆ i64 ┆ str ┆ str ┆ ┆ str ┆ │\n",
"╞═══════╪════════════╪════════════╪════════════╪════════════╪════════════╪════════════╪════════════╡\n",
"│ 0 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ \\system32\\ ┆ ┆ accessed: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ svchost.ex ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ Proces… ┆ - ┆ … ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
"│ 1 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ \\system32\\ ┆ ┆ accessed: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ svchost.ex ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ Proces… ┆ - ┆ … ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
"│ 2 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\servicing ┆ ┆ Create: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ \\TrustedIn ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
"│ 3 ┆ informatio ┆ 13 ┆ Registry ┆ Registry ┆ C:\\Windows ┆ ┆ Registry │\n",
"│ ┆ n ┆ ┆ value set ┆ value set: ┆ \\servicing ┆ ┆ value set: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ \\TrustedIn ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ Regi… ┆ … ┆ … ┆ ┆ … │\n",
"│ 4 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\WinSxS\\am ┆ ┆ Create: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ d64_micros ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
"│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
"│ 1022 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ Create ┆ Create: ┆ Files (x86 ┆ ┆ Create: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ )\\Microso… ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ - ┆ ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
"│ 1023 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ Files (x86 ┆ ┆ accessed: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ )\\Microso… ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ Proces… ┆ - ┆ ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
"│ 1024 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\System32\\ ┆ ┆ Create: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ taskhostw. ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
"│ 1025 ┆ informatio ┆ 22 ┆ Dns query ┆ Dns query: ┆ ┆ ┆ Dns query: │\n",
"│ ┆ n ┆ ┆ (rule: ┆ RuleName: ┆ ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ DnsQuery) ┆ - ┆ ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Process… ┆ ┆ ┆ Process… │\n",
"│ 1026 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
"│ ┆ n ┆ ┆ Create ┆ Create: ┆ Files\\RUXI ┆ ┆ Create: │\n",
"│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ M\\PLUGSch… ┆ ┆ RuleName: │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ - ┆ ┆ ┆ - │\n",
"│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
"└───────┴────────────┴────────────┴────────────┴────────────┴────────────┴────────────┴────────────┘\n"
]
}
],
"execution_count": 12
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:28:58.121865Z",
"start_time": "2024-06-23T14:28:58.118749Z"
}
},
"cell_type": "code",
"source": [
"def define_label(row):\n",
" conditions = {\n",
" (\"EXCEL.EXE\" in row['image'] and \".exe\" in row['target_filename']): \"bad\",\n",
" (row['index'] == 874): \"bad\",\n",
" # Add more conditions here if needed\n",
" }\n",
" return conditions.get(True, \"good\")"
],
"id": "8d21ff3214accd7a",
"outputs": [],
"execution_count": 13
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:29:01.928229Z",
"start_time": "2024-06-23T14:29:01.923231Z"
}
},
"cell_type": "code",
"source": [
"# Apply the define_label function\n",
"selected_columns_df = selected_columns_df.with_columns(\n",
" pl.struct([\"index\", \"image\", \"target_filename\"]).map_elements(define_label, return_dtype=pl.Utf8).alias(\"label\")\n",
")"
],
"id": "3017223325f75d03",
"outputs": [],
"execution_count": 14
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:29:02.937309Z",
"start_time": "2024-06-23T14:29:02.933702Z"
}
},
"cell_type": "code",
"source": "print(selected_columns_df)",
"id": "feac611ac2db9fb",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"shape: (1_027, 9)\n",
"┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬────────────┬───────┐\n",
"│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ image ┆ target_fil ┆ text ┆ label │\n",
"│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ --- ┆ ename ┆ --- ┆ --- │\n",
"│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ str ┆ --- ┆ str ┆ str │\n",
"│ ┆ ┆ i64 ┆ str ┆ ┆ ┆ str ┆ ┆ │\n",
"╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪════════════╪═══════╡\n",
"│ 0 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ \\system32\\ ┆ ┆ accessed: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ svchost.ex ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ … ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
"│ 1 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ \\system32\\ ┆ ┆ accessed: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ svchost.ex ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ … ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
"│ 2 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ \\servicing ┆ ┆ Create: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ \\TrustedIn ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"│ 3 ┆ information ┆ 13 ┆ Registry ┆ … ┆ C:\\Windows ┆ ┆ Registry ┆ good │\n",
"│ ┆ ┆ ┆ value set ┆ ┆ \\servicing ┆ ┆ value set: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ \\TrustedIn ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ Regi… ┆ ┆ … ┆ ┆ … ┆ │\n",
"│ 4 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ \\WinSxS\\am ┆ ┆ Create: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ d64_micros ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
"│ 1022 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ Files (x86 ┆ ┆ Create: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ )\\Microso… ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"│ 1023 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ Files (x86 ┆ ┆ accessed: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ )\\Microso… ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
"│ 1024 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ \\System32\\ ┆ ┆ Create: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ taskhostw. ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"│ 1025 ┆ information ┆ 22 ┆ Dns query ┆ … ┆ ┆ ┆ Dns query: ┆ good │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ DnsQuery) ┆ ┆ ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Process… ┆ │\n",
"│ 1026 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ Files\\RUXI ┆ ┆ Create: ┆ │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ M\\PLUGSch… ┆ ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ ┆ - ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴────────────┴───────┘\n"
]
}
],
"execution_count": 15
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:30:07.444109Z",
"start_time": "2024-06-23T14:30:07.436034Z"
}
},
"cell_type": "code",
"source": [
"bad_rows = selected_columns_df.filter(pl.col(\"label\") == \"bad\")\n",
"print(bad_rows)"
],
"id": "5d634a8db0b99c4",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"shape: (2, 9)\n",
"┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬────────────┬───────┐\n",
"│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ image ┆ target_fil ┆ text ┆ label │\n",
"│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ --- ┆ ename ┆ --- ┆ --- │\n",
"│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ str ┆ --- ┆ str ┆ str │\n",
"│ ┆ ┆ i64 ┆ str ┆ ┆ ┆ str ┆ ┆ │\n",
"╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪════════════╪═══════╡\n",
"│ 832 ┆ information ┆ 11 ┆ File ┆ … ┆ C:\\Program ┆ C:\\Users\\s ┆ File ┆ bad │\n",
"│ ┆ ┆ ┆ created ┆ ┆ Files\\Micr ┆ tudent\\App ┆ created: ┆ │\n",
"│ ┆ ┆ ┆ (rule: Fil ┆ ┆ osoft Off… ┆ Data\\Local ┆ RuleName: ┆ │\n",
"│ ┆ ┆ ┆ eCreate… ┆ ┆ ┆ … ┆ EXE ┆ │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
"│ 874 ┆ information ┆ 3 ┆ Network ┆ … ┆ C:\\Users\\s ┆ ┆ Network ┆ bad │\n",
"│ ┆ ┆ ┆ connection ┆ ┆ tudent\\App ┆ ┆ connection ┆ │\n",
"│ ┆ ┆ ┆ detected ┆ ┆ Data\\Local ┆ ┆ detected: ┆ │\n",
"│ ┆ ┆ ┆ (r… ┆ ┆ … ┆ ┆ R… ┆ │\n",
"└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴────────────┴───────┘\n"
]
}
],
"execution_count": 16
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:37:58.896397Z",
"start_time": "2024-06-23T14:30:20.524206Z"
}
},
"cell_type": "code",
"source": [
"tokenizer = BertTokenizer.from_pretrained('bert-base-uncased')\n",
"model = BertModel.from_pretrained('bert-base-uncased')\n",
"\n",
"def vectorize_text(text):\n",
" inputs = tokenizer(text, return_tensors='pt', truncation=True, padding=True)\n",
" outputs = model(**inputs)\n",
" return outputs.last_hidden_state.mean(dim=1).detach().numpy()\n",
"\n",
"# Apply vectorization to the Polars DataFrame using map_elements\n",
"selected_columns_df = selected_columns_df.with_columns(\n",
" pl.col(\"text\").map_elements(lambda x: vectorize_text(x).flatten(), return_dtype=pl.Object).alias(\"text_vector\")\n",
")\n",
"\n",
"print(selected_columns_df)"
],
"id": "9262f948e3361ee9",
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/Users/mc/anaconda3/lib/python3.11/site-packages/huggingface_hub/file_download.py:1132: FutureWarning: `resume_download` is deprecated and will be removed in version 1.0.0. Downloads always resume when possible. If you want to force a new download, use `force_download=True`.\n",
" warnings.warn(\n"
]
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"shape: (1_027, 10)\n",
"┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬───────┬────────────┐\n",
"│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ target_fil ┆ text ┆ label ┆ text_vecto │\n",
"│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ ename ┆ --- ┆ --- ┆ r │\n",
"│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ --- ┆ str ┆ str ┆ --- │\n",
"│ ┆ ┆ i64 ┆ str ┆ ┆ str ┆ ┆ ┆ object │\n",
"╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪═══════╪════════════╡\n",
"│ 0 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.212887 │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 05e-01 -8. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 51057563e- │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
"│ 1 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.122658 │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 13e-01 -9. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 11662821e- │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
"│ 2 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.229663 │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 37e-01 -5. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 04846917e- │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
"│ 3 ┆ information ┆ 13 ┆ Registry ┆ … ┆ ┆ Registry ┆ good ┆ [-2.114389 │\n",
"│ ┆ ┆ ┆ value set ┆ ┆ ┆ value set: ┆ ┆ 69e-01 -1. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 26859054e- │\n",
"│ ┆ ┆ ┆ Regi… ┆ ┆ ┆ … ┆ ┆ … │\n",
"│ 4 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.781927 │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 82e-01 │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 1.29612401 │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ e-… │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
"│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
"│ 1022 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.417365 │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 55e-01 -7. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 53258318e- │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
"│ 1023 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-2.859322 │\n",
"│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 73e-01 │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 3.61725502 │\n",
"│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ e-… │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
"│ 1024 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.556979 │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 30e-01 -3. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 89229059e- │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
"│ 1025 ┆ information ┆ 22 ┆ Dns query ┆ … ┆ ┆ Dns query: ┆ good ┆ [-2.601829 │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 47e-01 -1. │\n",
"│ ┆ ┆ ┆ DnsQuery) ┆ ┆ ┆ - ┆ ┆ 70182362e- │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Process… ┆ ┆ … │\n",
"│ 1026 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.442858 │\n",
"│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 46e-01 -9. │\n",
"│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 36851799e- │\n",
"│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
"│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
"└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴───────┴────────────┘\n"
]
}
],
"execution_count": 17
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:42:20.663602Z",
"start_time": "2024-06-23T14:42:20.350354Z"
}
},
"cell_type": "code",
"source": [
"df = selected_columns_df.to_pandas()\n",
"\n",
"# Save the Pandas DataFrame to a Parquet file\n",
"df.to_parquet(\"vectorized_texts.parquet\")"
],
"id": "91e007e2b208dc7f",
"outputs": [],
"execution_count": 23
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T14:42:43.948447Z",
"start_time": "2024-06-23T14:42:43.214997Z"
}
},
"cell_type": "code",
"source": [
"import pandas as pd\n",
"# Load the DataFrame from the Parquet file\n",
"loaded_df = pd.read_parquet(\"vectorized_texts.parquet\")\n",
"\n",
"# Verify the loaded DataFrame\n",
"print(loaded_df)"
],
"id": "48a10b20636b4a2d",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
" index log.level winlog.event_id \\\n",
"0 0 information 10 \n",
"1 1 information 10 \n",
"2 2 information 1 \n",
"3 3 information 13 \n",
"4 4 information 1 \n",
"... ... ... ... \n",
"1022 1022 information 1 \n",
"1023 1023 information 10 \n",
"1024 1024 information 1 \n",
"1025 1025 information 22 \n",
"1026 1026 information 1 \n",
"\n",
" winlog.task \\\n",
"0 Process accessed (rule: ProcessAccess) \n",
"1 Process accessed (rule: ProcessAccess) \n",
"2 Process Create (rule: ProcessCreate) \n",
"3 Registry value set (rule: RegistryEvent) \n",
"4 Process Create (rule: ProcessCreate) \n",
"... ... \n",
"1022 Process Create (rule: ProcessCreate) \n",
"1023 Process accessed (rule: ProcessAccess) \n",
"1024 Process Create (rule: ProcessCreate) \n",
"1025 Dns query (rule: DnsQuery) \n",
"1026 Process Create (rule: ProcessCreate) \n",
"\n",
" filtered_message \\\n",
"0 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
"1 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
"2 Process Create:\\nRuleName: -\\nProcessId: 5196\\... \n",
"3 Registry value set:\\nRuleName: Tamper-Winlogon... \n",
"4 Process Create:\\nRuleName: -\\nProcessId: 6140\\... \n",
"... ... \n",
"1022 Process Create:\\nRuleName: -\\nProcessId: 5312\\... \n",
"1023 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
"1024 Process Create:\\nRuleName: -\\nProcessId: 5000\\... \n",
"1025 Dns query:\\nRuleName: -\\nProcessId: 9568\\nQuer... \n",
"1026 Process Create:\\nRuleName: -\\nProcessId: 8728\\... \n",
"\n",
" image target_filename \\\n",
"0 C:\\Windows\\system32\\svchost.exe \n",
"1 C:\\Windows\\system32\\svchost.exe \n",
"2 C:\\Windows\\servicing\\TrustedInstaller.exe \n",
"3 C:\\Windows\\servicing\\TrustedInstaller.exe \n",
"4 C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv... \n",
"... ... ... \n",
"1022 C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Mi... \n",
"1023 C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Mi... \n",
"1024 C:\\Windows\\System32\\taskhostw.exe \n",
"1025 \n",
"1026 C:\\Program Files\\RUXIM\\PLUGScheduler.exe \n",
"\n",
" text label \\\n",
"0 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
"1 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
"2 Process Create:\\nRuleName: -\\nProcessId: 5196\\... good \n",
"3 Registry value set:\\nRuleName: Tamper-Winlogon... good \n",
"4 Process Create:\\nRuleName: -\\nProcessId: 6140\\... good \n",
"... ... ... \n",
"1022 Process Create:\\nRuleName: -\\nProcessId: 5312\\... good \n",
"1023 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
"1024 Process Create:\\nRuleName: -\\nProcessId: 5000\\... good \n",
"1025 Dns query:\\nRuleName: -\\nProcessId: 9568\\nQuer... good \n",
"1026 Process Create:\\nRuleName: -\\nProcessId: 8728\\... good \n",
"\n",
" text_vector \n",
"0 [-0.32128870487213135, -0.008510575629770756, ... \n",
"1 [-0.3122658133506775, -0.00911662820726633, 0.... \n",
"2 [-0.3229663372039795, -0.0005048469174653292, ... \n",
"3 [-0.21143896877765656, -0.12685905396938324, 0... \n",
"4 [-0.3781927824020386, 0.12961240112781525, 0.4... \n",
"... ... \n",
"1022 [-0.3417365550994873, -0.07532583177089691, 0.... \n",
"1023 [-0.2859322726726532, 0.0036172550171613693, 0... \n",
"1024 [-0.3556979298591614, -0.038922905921936035, 0... \n",
"1025 [-0.2601829469203949, -0.17018236219882965, 0.... \n",
"1026 [-0.34428584575653076, -0.09368517994880676, 0... \n",
"\n",
"[1027 rows x 10 columns]\n"
]
}
],
"execution_count": 25
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T15:40:20.568804Z",
"start_time": "2024-06-23T15:35:44.243587Z"
}
},
"cell_type": "code",
"source": [
"import os\n",
"import pandas as pd\n",
"import torch\n",
"from sklearn.model_selection import train_test_split\n",
"from sklearn.preprocessing import LabelEncoder\n",
"from tpot import TPOTClassifier\n",
"\n",
"# Load the DataFrame from the Parquet file\n",
"df = pd.read_parquet(\"vectorized_texts.parquet\")\n",
"\n",
"# Ensure to use only CPU for PyTorch\n",
"device = torch.device(\"cpu\")\n",
"\n",
"# Encode labels\n",
"le = LabelEncoder()\n",
"df['label_encoded'] = le.fit_transform(df['label'])\n",
"\n",
"# Split data\n",
"X_train, X_test, y_train, y_test = train_test_split(df['text_vector'].tolist(), df['label_encoded'], test_size=0.2, random_state=42)\n",
"\n",
"# Convert lists to numpy arrays\n",
"X_train = torch.tensor(X_train, device=device).numpy()\n",
"X_test = torch.tensor(X_test, device=device).numpy()\n",
"\n",
"# TPOT classifier with higher verbosity\n",
"tpot = TPOTClassifier(verbosity=3, generations=5, population_size=20)\n",
"tpot.fit(X_train, y_train)\n",
"\n",
"# Evaluate the model\n",
"print(\"TPOT Score:\", tpot.score(X_test, y_test))\n",
"\n",
"# Save the trained model\n",
"tpot.export('tpot_pipeline.py')\n",
"\n",
"# Print the exported pipeline\n",
"with open('tpot_pipeline.py') as f:\n",
" print(f.read())\n",
"\n",
"# Example of using the trained model\n",
"predictions = tpot.predict(X_test)\n",
"print(\"Predictions:\", predictions)\n"
],
"id": "75d84e297b03eaf4",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"32 operators have been imported by TPOT.\n"
]
},
{
"data": {
"text/plain": [
"Optimization Progress: 0%| | 0/120 [00:00<?, ?pipeline/s]"
],
"application/vnd.jupyter.widget-view+json": {
"version_major": 2,
"version_minor": 0,
"model_id": "cdd334c618a04e55a3f580c1d7e5239b"
}
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=True.\n",
"\n",
"Generation 1 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=False.\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"\n",
"Generation 2 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Unsupported set of arguments: The combination of penalty='l1' and loss='squared_hinge' are not supported when dual=True, Parameters: penalty='l1', loss='squared_hinge', dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"\n",
"Generation 3 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"\n",
"Generation 4 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=2 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=False.\n",
"_pre_test decorator: _random_mutation_operator: num_test=3 Solver lbfgs supports only dual=False, got dual=True.\n",
"\n",
"Generation 5 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
"TPOT Score: 1.0\n",
"import numpy as np\n",
"import pandas as pd\n",
"from sklearn.linear_model import LogisticRegression\n",
"from sklearn.model_selection import train_test_split\n",
"\n",
"# NOTE: Make sure that the outcome column is labeled 'target' in the data file\n",
"tpot_data = pd.read_csv('PATH/TO/DATA/FILE', sep='COLUMN_SEPARATOR', dtype=np.float64)\n",
"features = tpot_data.drop('target', axis=1)\n",
"training_features, testing_features, training_target, testing_target = \\\n",
" train_test_split(features, tpot_data['target'], random_state=None)\n",
"\n",
"# Average CV score on the training set was: 0.9975683665927569\n",
"exported_pipeline = LogisticRegression(C=20.0, dual=False, penalty=\"l2\")\n",
"\n",
"exported_pipeline.fit(training_features, training_target)\n",
"results = exported_pipeline.predict(testing_features)\n",
"\n",
"Predictions: [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1]\n"
]
}
],
"execution_count": 28
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T15:40:32.639885Z",
"start_time": "2024-06-23T15:40:32.632855Z"
}
},
"cell_type": "code",
"source": "print(\"The accuracy of the best model is: \", tpot.score(X_test, y_test))\n",
"id": "6cf76b5736411710",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"The accuracy of the best model is: 1.0\n"
]
}
],
"execution_count": 29
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T15:45:08.745744Z",
"start_time": "2024-06-23T15:45:04.326699Z"
}
},
"cell_type": "code",
"source": "%pip install matplotlib",
"id": "d99c8aa5529a72d1",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Requirement already satisfied: matplotlib in /Users/mc/anaconda3/lib/python3.11/site-packages (3.8.0)\r\n",
"Requirement already satisfied: contourpy>=1.0.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.2.0)\r\n",
"Requirement already satisfied: cycler>=0.10 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (0.11.0)\r\n",
"Requirement already satisfied: fonttools>=4.22.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (4.25.0)\r\n",
"Requirement already satisfied: kiwisolver>=1.0.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.4.4)\r\n",
"Requirement already satisfied: numpy<2,>=1.21 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.26.4)\r\n",
"Requirement already satisfied: packaging>=20.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (23.1)\r\n",
"Requirement already satisfied: pillow>=6.2.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (10.2.0)\r\n",
"Requirement already satisfied: pyparsing>=2.3.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (3.0.9)\r\n",
"Requirement already satisfied: python-dateutil>=2.7 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (2.8.2)\r\n",
"Requirement already satisfied: six>=1.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from python-dateutil>=2.7->matplotlib) (1.16.0)\r\n",
"Note: you may need to restart the kernel to use updated packages.\n"
]
}
],
"execution_count": 30
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T16:14:34.361740Z",
"start_time": "2024-06-23T15:45:13.819963Z"
}
},
"cell_type": "code",
"source": [
"import os\n",
"import pandas as pd\n",
"import torch\n",
"from sklearn.model_selection import train_test_split\n",
"from sklearn.preprocessing import LabelEncoder\n",
"from tpot import TPOTClassifier\n",
"from collections import Counter\n",
"\n",
"# Load the DataFrame from the Parquet file\n",
"df = pd.read_parquet(\"vectorized_texts.parquet\")\n",
"\n",
"# Ensure to use only CPU for PyTorch\n",
"device = torch.device(\"cpu\")\n",
"\n",
"# Encode labels\n",
"le = LabelEncoder()\n",
"df['label_encoded'] = le.fit_transform(df['label'])\n",
"\n",
"# Split data\n",
"X_train, X_test, y_train, y_test = train_test_split(df['text_vector'].tolist(), df['label_encoded'], test_size=0.2, random_state=42)\n",
"\n",
"# Convert lists to numpy arrays\n",
"X_train = torch.tensor(X_train, device=device).numpy()\n",
"X_test = torch.tensor(X_test, device=device).numpy()\n",
"\n",
"# TPOT classifier with higher verbosity\n",
"tpot = TPOTClassifier(verbosity=3, generations=5, population_size=20)\n",
"tpot.fit(X_train, y_train)\n",
"\n",
"# Evaluate the model\n",
"print(\"TPOT Score:\", tpot.score(X_test, y_test))\n",
"\n",
"# Save the trained model\n",
"tpot.export('tpot_pipeline.py')\n",
"\n",
"# Print the exported pipeline\n",
"with open('tpot_pipeline.py') as f:\n",
" print(f.read())\n",
"\n",
"# Example of using the trained model\n",
"predictions = tpot.predict(X_test)\n",
"print(\"Predictions:\", predictions)\n",
"\n",
"# Extract information about models tested\n",
"evaluated_pipelines = tpot.evaluated_individuals_\n"
],
"id": "705690ce71dfda4c",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"32 operators have been imported by TPOT.\n"
]
},
{
"data": {
"text/plain": [
"Optimization Progress: 0%| | 0/120 [00:00<?, ?pipeline/s]"
],
"application/vnd.jupyter.widget-view+json": {
"version_major": 2,
"version_minor": 0,
"model_id": "f7e3f3bcb7f64b0eb87cc1a70a31169b"
}
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"_pre_test decorator: _random_mutation_operator: num_test=0 The 'loss' parameter of SGDClassifier must be a str among {'perceptron', 'squared_hinge', 'modified_huber', 'log_loss', 'huber', 'epsilon_insensitive', 'hinge', 'squared_error', 'squared_epsilon_insensitive'}. Got 'log' instead..\n",
"\n",
"Generation 1 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"\n",
"Generation 2 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
"\n",
"Generation 3 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
"Pipeline encountered that has previously been evaluated during the optimization process. Using the score from the previous evaluation.\n",
"\n",
"Generation 4 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
"_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
"\n",
"Generation 5 - Current Pareto front scores:\n",
"\n",
"-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
"TPOT Score: 1.0\n",
"import numpy as np\n",
"import pandas as pd\n",
"from sklearn.ensemble import GradientBoostingClassifier\n",
"from sklearn.model_selection import train_test_split\n",
"\n",
"# NOTE: Make sure that the outcome column is labeled 'target' in the data file\n",
"tpot_data = pd.read_csv('PATH/TO/DATA/FILE', sep='COLUMN_SEPARATOR', dtype=np.float64)\n",
"features = tpot_data.drop('target', axis=1)\n",
"training_features, testing_features, training_target, testing_target = \\\n",
" train_test_split(features, tpot_data['target'], random_state=None)\n",
"\n",
"# Average CV score on the training set was: 0.9975683665927569\n",
"exported_pipeline = GradientBoostingClassifier(learning_rate=0.001, max_depth=9, max_features=0.5, min_samples_leaf=14, min_samples_split=17, n_estimators=100, subsample=0.55)\n",
"\n",
"exported_pipeline.fit(training_features, training_target)\n",
"results = exported_pipeline.predict(testing_features)\n",
"\n",
"Predictions: [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
" 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1]\n"
]
},
{
"ename": "AttributeError",
"evalue": "'dict' object has no attribute '_final_estimator'",
"output_type": "error",
"traceback": [
"\u001B[0;31m---------------------------------------------------------------------------\u001B[0m",
"\u001B[0;31mAttributeError\u001B[0m Traceback (most recent call last)",
"Cell \u001B[0;32mIn[31], line 50\u001B[0m\n\u001B[1;32m 48\u001B[0m model_counter \u001B[38;5;241m=\u001B[39m Counter()\n\u001B[1;32m 49\u001B[0m \u001B[38;5;28;01mfor\u001B[39;00m pipeline \u001B[38;5;129;01min\u001B[39;00m evaluated_pipelines\u001B[38;5;241m.\u001B[39mvalues():\n\u001B[0;32m---> 50\u001B[0m \u001B[38;5;28;01mfor\u001B[39;00m step \u001B[38;5;129;01min\u001B[39;00m pipeline\u001B[38;5;241m.\u001B[39m_final_estimator\u001B[38;5;241m.\u001B[39msteps:\n\u001B[1;32m 51\u001B[0m model_counter[step[\u001B[38;5;241m0\u001B[39m]] \u001B[38;5;241m+\u001B[39m\u001B[38;5;241m=\u001B[39m \u001B[38;5;241m1\u001B[39m\n\u001B[1;32m 53\u001B[0m \u001B[38;5;28mprint\u001B[39m(\u001B[38;5;124m\"\u001B[39m\u001B[38;5;124mModels and their occurrences:\u001B[39m\u001B[38;5;124m\"\u001B[39m)\n",
"\u001B[0;31mAttributeError\u001B[0m: 'dict' object has no attribute '_final_estimator'"
]
}
],
"execution_count": 31
},
{
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-23T16:17:12.274731Z",
"start_time": "2024-06-23T16:17:11.509163Z"
}
},
"cell_type": "code",
"source": [
"# Count occurrences of each model type\n",
"model_counter = Counter()\n",
"for pipeline_str in evaluated_pipelines.keys():\n",
" models = re.findall(r'\\w+\\(.*?\\)', pipeline_str)\n",
" for model in models:\n",
" model_name = model.split('(')[0]\n",
" model_counter[model_name] += 1\n",
"\n",
"print(\"Models and their occurrences:\")\n",
"for model, count in model_counter.items():\n",
" print(f\"{model}: {count}\")\n",
"\n",
"# Visualize the count of different models\n",
"import matplotlib.pyplot as plt\n",
"\n",
"model_names = list(model_counter.keys())\n",
"model_counts = list(model_counter.values())\n",
"\n",
"plt.figure(figsize=(12, 6))\n",
"plt.barh(model_names, model_counts, color='skyblue')\n",
"plt.xlabel('Number of Occurrences')\n",
"plt.ylabel('Model')\n",
"plt.title('Frequency of Models Tested by TPOT')\n",
"plt.show()"
],
"id": "565066bf3b5f0820",
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Models and their occurrences:\n",
"GradientBoostingClassifier: 43\n",
"KNeighborsClassifier: 10\n",
"DecisionTreeClassifier: 10\n",
"BernoulliNB: 11\n",
"LogisticRegression: 4\n",
"MLPClassifier: 8\n",
"ExtraTreesClassifier: 8\n",
"XGBClassifier: 7\n",
"RandomForestClassifier: 11\n",
"LinearSVC: 1\n",
"GaussianNB: 1\n",
"SGDClassifier: 3\n"
]
},
{
"data": {
"text/plain": [
"<Figure size 1200x600 with 1 Axes>"
],
"image/png": "iVBORw0KGgoAAAANSUhEUgAABIwAAAIhCAYAAAAsBCGlAAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjguMCwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy81sbWrAAAACXBIWXMAAA9hAAAPYQGoP6dpAACpD0lEQVR4nOzdeXxN1/7/8fdJIoOcDCRIVAYkQUyRGlpaQw1BKaWlaEkpNVdRU81Uah7amocorqGmGkrVEBRVVFBiChGtqNaQVIxJzu8Pv5yvLaHmaL2ej8d+XGfvtdf+7H3OfTxu3nettU0Wi8UiAAAAAAAA4P+zyeoCAAAAAAAA8GwhMAIAAAAAAIABgREAAAAAAAAMCIwAAAAAAABgQGAEAAAAAAAAAwIjAAAAAAAAGBAYAQAAAAAAwIDACAAAAAAAAAYERgAAAAAAADAgMAIAAE9MZGSkTCZTplv37t2zurzn1oYNG1S6dGk5OzvLZDJp+fLlmbaLi4uzfl8DBw7MtE3Lli2tbR6nypUrq3Llyg91rr+/v8LDwx/5+nf77d6+3e25PKiJEycqMjLysfR1p/upMyoqSiaTSYsXL34iNaTXcT9bVFSU4bdnMplkY2MjDw8P1a5dWzt27MjQ9/nz59W7d28FBwcre/bscnV11UsvvaSvvvpKN2/etLYLDw+/rxoe9fcDAP8FdlldAAAA+O+bNWuWChcubNiXN2/eLKrm+WaxWNSoUSMFBQVpxYoVcnZ2VqFChe55jouLiyIjI9W/f3/Z2Pzf/994+fJlffPNN3J1dVVSUtKTLv2pmjhxouGeVq9eraFDh2b4LefLl++xXc/T0/M/HVTcGfQMGTJEmzZt0saNGw37g4ODdeHCBUlSp06d1LRpU6WmpurgwYMaNGiQqlSpoh07dqhUqVKSpMOHD6tGjRq6fPmyunXrpvLly+vq1atatWqVPvroI33zzTf67rvvlD17dvXr109t27a1XuuXX35Rhw4dNGzYMFWpUsW6P1euXE/qMQDAvwaBEQAAeOKKFSum0qVL31fbmzdvymQyyc6O/5nyJJw5c0YXLlzQm2++qapVq97XOY0bN9b06dO1YcMGVa9e3bp/4cKFSk1NVf369TV37twnVXKWCA4ONnw+fPiwpAf7LcPopZdeMnzOlSuXbGxsMuyXZA2MfH19rccrVKiggIAAVa1aVRMnTtS0adOUmpqqhg0bKikpST///LOCgoKsfdSuXVuVKlXSO++8o65du2ry5MkqWLCgChYsaG1z7do1SVJgYGCmdQDA84wpaQAAIMukT4OZM2eOunXrphdeeEEODg46fvy4JGn9+vWqWrWqXF1dlT17dlWoUEEbNmzI0M/q1asVEhIiBwcH5c+fX6NGjdLAgQMN06TSp7hkNu0nsyk7x44dU9OmTZU7d245ODioSJEi+uqrrzKtf/78+fr000+VN29eubq6qlq1ajpy5EiG66xdu1ZVq1aVm5ubsmfPriJFiigiIkKSNGfOHJlMpkyn2wwePFjZsmXTmTNn7vk8f/zxR1WtWlUuLi7Knj27ypcvr9WrV1uPDxw40DoipmfPnjKZTPL3979nn5JUqFAhlS9fXjNnzjTsnzlzpho0aCA3N7cM56SlpWnEiBEqXLiwHBwclDt3bjVv3ly//faboZ3FYtGIESPk5+cnR0dHhYaGas2aNZnWkZSUpO7duyt//vyyt7fXCy+8oC5duig5Ofme9aelpWno0KEqVKiQnJyc5O7urhIlSmj8+PH/eO//ZOHChXr55Zfl7Owss9mssLAw7d2719DmxIkTeuedd5Q3b145ODgoT548qlq1qqKjoyXdmkJ38OBBbd682Tol6vbv5X7vOykpSa1bt5aHh4fMZrNq1qypo0ePPtD9XLt2TV27dpWXl5ecnJxUqVIlw/08jt/po0gPdU6dOiVJWrZsmQ4dOqRevXoZwqJ0jRs3Vo0aNTRjxgydPXv2idUFAP9FBEYAAOCJS01NVUpKimG7Xe/evRUfH6/Jkydr5cqVyp07t+bOnasaNWrI1dVVs2fP1qJFi5QzZ06FhYUZQqMNGzaoXr16cnFx0YIFCzRy5EgtWrRIs2bNeuh6Dx06pDJlyujXX3/V6NGjtWrVKr3++uvq3LmzBg0alKF9nz59dOrUKU2fPl1Tp07VsWPHVLduXaWmplrbzJgxQ7Vr11ZaWpr1Pjt37mwNUBo3biwvL68MoVRKSoqmTJmiN998857T+DZv3qzXXntNiYmJmjFjhubPny8XFxfVrVtXCxculCR98MEHWrp0qaRbU3127NihZcuW3dczadWqlZYvX66LFy9Kko4cOaLt27erVatWmbZv166devbsqerVq2vFihUaMmSI1q5dq/Lly+uvv/6yths0aJC13fLly9WuXTu1bt06Q+B25coVVapUSbNnz1bnzp21Zs0a9ezZU5GRkXrjjTdksVjuWvuIESM0cOBANWnSRKtXr9bChQvVqlUrXbp06b7u/W6GDRumJk2aKDg4WIsWLdKcOXP0999/69VXX9WhQ4es7WrXrq09e/ZoxIgR+uGHHzRp0iSVKlXKev1ly5apQIECKlWqlHbs2GH4Xu73vi0Wi+rXr28NX5ctW6aXXnpJtWrVeqB76tOnj06cOKHp06dr+vTpOnPmjCpXrqwTJ05IevTf6aNKD5PTp4z98MMPkqT69evf9Zz69esrJSVFUVFRT6wuAPhPsgAAADwhs2bNskjKdLt586Zl06ZNFkmWihUrGs5LTk625MyZ01K3bl3D/tTUVEvJkiUtZcuWte4rV66cJW/evJarV69a9yUlJVly5sxpuf1/6pw8edIiyTJr1qwMdUqyDBgwwPo5LCzMki9fPktiYqKhXceOHS2Ojo6WCxcuWCwWi7X+2rVrG9otWrTIIsmyY8cOi8Visfz9998WV1dXyyuvvGJJS0u76/MaMGCAxd7e3vLHH39Y9y1cuNAiybJ58+a7nmexWCwvvfSSJXfu3Ja///7bui8lJcVSrFgxS758+azXTX8OI0eOvGd/d7b9+++/LWaz2fLll19aLBaL5ZNPPrHkz5/fkpaWZunQoYPhWcfExFgkWdq3b2/ob+fOnRZJlj59+lgsFovl4sWLFkdHR8ubb75paLdt2zaLJEulSpWs+yIiIiw2NjaWXbt2GdouXrzYIsny3XffWff5+flZWrRoYf1cp04dS0hIyD/e772k/5bTrx8fH2+xs7OzdOrUydDu77//tnh5eVkaNWpksVgslr/++ssiyTJu3Lh79l+0aFHD/aa73/tes2aNRZJl/PjxhnafffZZht93ZtJ/y6GhoYbfaFxcnCVbtmyWDz74wLrvUX6nt2vRooXF2dk502Ppv73hw4dbbt68abl27Zplz549ljJlylgkWVavXm2xWCyWmjVrWiRZrl27dtfrpD+b4cOH3/W+v/nmm/uuGwCeF4wwAgAAT9zXX3+tXbt2Gbbb1yhq2LChof327dt14cIFtWjRwjAqKS0tTTVr1tSuXbuUnJys5ORk7dq1Sw0aNJCjo6P1/PSRNQ/j2rVr2rBhg958801lz57dcP3atWvr2rVr+umnnwznvPHGG4bPJUqUkPR/02a2b9+upKQktW/f/p5vE2vXrp0kadq0adZ9X375pYoXL66KFSve9bzk5GTt3LlTb731lsxms3W/ra2t3nvvPf3222+ZTpF7EGazWW+//bZmzpyplJQUff3113r//fczvZ9NmzZJUoYFnMuWLasiRYpYR4jt2LFD165dU7NmzQztypcvLz8/P8O+VatWqVixYgoJCTF8J2FhYdY3a91N2bJltW/fPrVv317ff//9Y1mg+/vvv1dKSoqaN29uqMfR0VGVKlWy1pMzZ04VLFhQI0eO1JgxY7R3716lpaXd93Xu977Tn/mdz7Jp06YPdF9NmzY1fKd+fn4qX768tX/p4X+nD6Nnz57Kli2bHB0d9eKLLyo+Pl5TpkxR7dq177sPy/8fhfW43+QHAP91rCYJAACeuCJFitxzoWBvb2/D5z/++EOS9NZbb931nAsXLshkMiktLU1
},
"metadata": {},
"output_type": "display_data"
}
],
"execution_count": 32
},
{
"metadata": {},
"cell_type": "code",
"outputs": [],
"execution_count": null,
"source": "",
"id": "f6faa6d6265c094e"
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 2
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython2",
"version": "2.7.6"
}
},
"nbformat": 4,
"nbformat_minor": 5
}
Reference in New Issue Copy Permalink