From 65923acf69f5e429732a27c424d00bae3dcbe737 Mon Sep 17 00:00:00 2001
From: marius <11855163+norandom@users.noreply.github.com>
Date: Mon, 24 Jun 2024 10:36:48 +0200
Subject: [PATCH] documentation update for TPOT foundations
---
.../TPOT_Foundations.ipynb | 3263 +----------------
1 file changed, 195 insertions(+), 3068 deletions(-)
diff --git a/2-5-automated-machine-learning-with-gp/TPOT_Foundations.ipynb b/2-5-automated-machine-learning-with-gp/TPOT_Foundations.ipynb
index d7e5d25..eeea833 100644
--- a/2-5-automated-machine-learning-with-gp/TPOT_Foundations.ipynb
+++ b/2-5-automated-machine-learning-with-gp/TPOT_Foundations.ipynb
@@ -1,13 +1,27 @@
{
"cells": [
{
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "# Foundational code for TPOT\n",
+ "\n",
+ "Exploring the foundations of the Genetic Programming (GP) library TPOT, which automates the process of selecting the best machine learning model and hyperparameters for a given dataset. This notebook demonstrates the following foundational concepts:\n",
+ "\n",
+ "* Loading data from Elasticsearch\n",
+ "* Preparing nested data for the data pipeline\n",
+ "* Filtering out irrelevant information from traces\n",
+ "* Vectorizing text data using BERT\n",
+ "* Training a TPOT model\n",
+ "* Evaluating the model and exporting the pipeline\n",
+ "* Visualizing the frequency of models tested by TPOT\n",
+ "* Loading the trained model and making predictions (todo)"
+ ],
+ "id": "9090fc8231b5aa47"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
- "execution_count": null,
- "id": "initial_id",
- "metadata": {
- "collapsed": true
- },
- "outputs": [],
"source": [
"import requests\n",
"import pandas as pd\n",
@@ -121,16 +135,24 @@
" \n",
" print(f\"Retrieved {total_documents_retrieved} documents.\")\n",
"\n",
- "print(\"Files have been written.\")\n"
- ]
+ "print(\"Files have been written.\")"
+ ],
+ "id": "initial_id",
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:27:10.324996Z",
- "start_time": "2024-06-23T14:27:10.066377Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "## Load data from a CSV file\n",
+ "\n",
+ "Load the data from the CSV file into a DataFrame using Polars, a fast DataFrame library in Rust. This step is necessary to prepare the data for further processing and filtering.\n"
+ ],
+ "id": "7dc4287c4b67a923"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"import polars as pl\n",
@@ -145,75 +167,23 @@
"print(df)\n"
],
"id": "847862813f6a8c74",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "shape: (1_027, 7)\n",
- "┌──────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┐\n",
- "│ @timestamp ┆ host.hostna ┆ host.ip ┆ log.level ┆ winlog.even ┆ winlog.task ┆ message │\n",
- "│ --- ┆ me ┆ --- ┆ --- ┆ t_id ┆ --- ┆ --- │\n",
- "│ str ┆ --- ┆ str ┆ str ┆ --- ┆ str ┆ str │\n",
- "│ ┆ str ┆ ┆ ┆ i64 ┆ ┆ │\n",
- "╞══════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╡\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
- "│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
- "│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
- "│ 7:42:03.820Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 13 ┆ Registry ┆ Registry │\n",
- "│ 7:42:03.846Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ value set ┆ value set: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ Regi… ┆ │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
- "│ 7:42:03.864Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
- "│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
- "│ 8:35:53.050Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n",
- "│ 8:35:53.125Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
- "│ 8:35:56.448Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 22 ┆ Dns query ┆ Dns query: │\n",
- "│ 8:37:46.518Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ DnsQuery) ┆ UtcTime… │\n",
- "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n",
- "│ 8:37:54.182Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n",
- "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n",
- "└──────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┘\n"
- ]
- }
- ],
- "execution_count": 2
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:27:15.761561Z",
- "start_time": "2024-06-23T14:27:15.718703Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "## Data filtering and transformation\n",
+ "\n",
+ "Filter out irrelevant information from the traces to focus on the key details. This step involves removing specific lines based on keywords present at the start of the line. The goal is to clean up the data and make it more manageable for further processing."
+ ],
+ "id": "6fb9c9c06da8a061"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
- "import polars as pl\n",
- "\n",
"def remove_keyword_lines(batch, keywords):\n",
" def modify_line(line):\n",
" # Check each keyword; filter the line if the keyword is at the start followed by a colon\n",
@@ -237,13 +207,11 @@
" return_dtype=pl.Utf8)\n",
"\n",
"\n",
- "\n",
- "\n",
- "# Define a list of keywords to filter out\n",
+ "# keywords to filter or process\n",
"keywords_to_filter = [\"UtcTime\", \"SourceProcessGUID\",\"ProcessGuid\", \"TargetProcessGUID\", \"TargetObject\", \"FileVersion\", \"Hashes\", \"LogonGuid\", \"LogonId\", \"CreationUtcTime\", \"User\", \"ParentProcessGuid\", \"SourceHostname\"]\n",
"\n",
"\n",
- "# Load your DataFrame (assuming 'df' is already loaded)\n",
+ "# Load the DataFrame (assuming 'df' is already loaded)\n",
"# Apply the transformation to the 'message' column using map_batches\n",
"df_f = df.with_columns(\n",
" pl.col(\"message\").map_batches(lambda batch: remove_keyword_lines(batch, keywords_to_filter), return_dtype=pl.Utf8).alias(\"filtered_message\")\n",
@@ -260,1991 +228,21 @@
" print(\"-\" * 50) # Separator for readability\n"
],
"id": "fc93fe038bcb00c5",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Message 1:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 2:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 3:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5196\n",
- "Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
- "Description: Windows Modules Installer\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: TrustedInstaller.exe\n",
- "CommandLine: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 824\n",
- "ParentImage: C:\\Windows\\System32\\services.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
- "--------------------------------------------------\n",
- "Message 4:\n",
- "Registry value set:\n",
- "RuleName: Tamper-Winlogon\n",
- "EventType: SetValue\n",
- "ProcessId: 5196\n",
- "Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n",
- "Details: CreateSession\n",
- "--------------------------------------------------\n",
- "Message 5:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 6140\n",
- "Image: C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe\n",
- "Description: Windows Modules Installer Worker\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: TiWorker.exe\n",
- "CommandLine: C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe -Embedding\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 1000\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n",
- "--------------------------------------------------\n",
- "Message 6:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 2036\n",
- "Image: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\n",
- "Description: Microsoft Edge Update\n",
- "Product: Microsoft Edge Update\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: msedgeupdate.dll\n",
- "CommandLine: \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /c\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 7:\n",
- "Dns query:\n",
- "RuleName: -\n",
- "ProcessId: 3508\n",
- "QueryName: ncc.avast.com\n",
- "QueryStatus: 0\n",
- "QueryResults: type: 5 ncc.avast.com.edgesuite.net;type: 5 a1488.dscd.akamai.net;::ffff:23.72.36.187;::ffff:23.72.36.112;\n",
- "Image: C:\\Program Files\\Avast Software\\Avast\\aswToolsSvc.exe\n",
- "--------------------------------------------------\n",
- "Message 8:\n",
- "Dns query:\n",
- "RuleName: -\n",
- "ProcessId: 4592\n",
- "QueryName: ecs.office.com\n",
- "QueryStatus: 0\n",
- "QueryResults: type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;\n",
- "Image: C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe\n",
- "--------------------------------------------------\n",
- "Message 9:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4492\n",
- "Image: C:\\Windows\\System32\\taskhostw.exe\n",
- "Description: Host Process for Windows Tasks\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: taskhostw.exe\n",
- "CommandLine: taskhostw.exe\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 10:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 2788\n",
- "Image: C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\n",
- "Description: -\n",
- "Product: -\n",
- "Company: -\n",
- "OriginalFileName: -\n",
- "CommandLine: \"C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 11:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 6472\n",
- "Image: C:\\Windows\\System32\\lpremove.exe\n",
- "Description: MUI Language pack cleanup\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: lpremove.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\lpremove.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 12:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 6104\n",
- "Image: C:\\Windows\\System32\\UsoClient.exe\n",
- "Description: UsoClient\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: UsoClient\n",
- "CommandLine: \"C:\\Windows\\system32\\usoclient.exe\" ReportPolicies\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 13:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 14:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 15:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 16:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 17:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4324\n",
- "Image: C:\\Windows\\System32\\sc.exe\n",
- "Description: Service Control Manager Configuration Tool\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: sc.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\sc.exe\" start w32time task_started\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: LOCAL SERVICE\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 18:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 19:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 20:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 21:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 22:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5828\n",
- "Image: C:\\Windows\\System32\\taskhostw.exe\n",
- "Description: Host Process for Windows Tasks\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: taskhostw.exe\n",
- "CommandLine: taskhostw.exe\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: LOCAL SERVICE\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 23:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4996\n",
- "Image: C:\\Windows\\System32\\rundll32.exe\n",
- "Description: Windows host process (Rundll32)\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: RUNDLL32.EXE\n",
- "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\Windows.StateRepositoryClient.dll,StateRepositoryDoMaintenanceTasks\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 24:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5376\n",
- "Image: C:\\Windows\\System32\\Defrag.exe\n",
- "Description: Disk Defragmenter Module\n",
- "Product: Windows Drive Optimizer\n",
- "Company: Microsoft Corp.\n",
- "OriginalFileName: Defrag.EXE\n",
- "CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -c -h -o -$\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 25:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4240\n",
- "Image: C:\\Windows\\System32\\dmclient.exe\n",
- "Description: Microsoft Feedback SIUF Deployment Manager Client\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: dmclient.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\dmclient.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 26:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 27:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 28:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4980\n",
- "Image: C:\\Windows\\System32\\tzsync.exe\n",
- "Description: TimeZone Sync Task\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: tzsync.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\tzsync.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 29:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 1528\n",
- "Image: C:\\Windows\\System32\\DiskSnapshot.exe\n",
- "Description: DiskSnapshot.exe\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: DiskSnapshot.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\disksnapshot.exe\" -z\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 30:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 2384\n",
- "Image: C:\\Windows\\System32\\rundll32.exe\n",
- "Description: Windows host process (Rundll32)\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: RUNDLL32.EXE\n",
- "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" Windows.Storage.ApplicationData.dll,CleanupTemporaryState\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 31:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5156\n",
- "Image: C:\\Windows\\System32\\dstokenclean.exe\n",
- "Description: Data Sharing Service Maintenance Driver\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: dstokenclean.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\dstokenclean.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 32:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 33:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 34:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5632\n",
- "Image: C:\\Windows\\System32\\svchost.exe\n",
- "Description: Host Process for Windows Services\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: svchost.exe\n",
- "CommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wisvc\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 824\n",
- "ParentImage: C:\\Windows\\System32\\services.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
- "--------------------------------------------------\n",
- "Message 35:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 2388\n",
- "Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe\n",
- "Description: Microsoft .NET Framework optimization service\n",
- "Product: Microsoft® .NET Framework\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: NGenTask.exe\n",
- "CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:480\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 4492\n",
- "ParentImage: C:\\Windows\\System32\\taskhostw.exe\n",
- "ParentCommandLine: taskhostw.exe\n",
- "--------------------------------------------------\n",
- "Message 36:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 6460\n",
- "Image: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe\n",
- "Description: Microsoft .NET Framework optimization service\n",
- "Product: Microsoft® .NET Framework\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: NGenTask.exe\n",
- "CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:1132\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 4492\n",
- "ParentImage: C:\\Windows\\System32\\taskhostw.exe\n",
- "ParentCommandLine: taskhostw.exe\n",
- "--------------------------------------------------\n",
- "Message 37:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 38:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 39:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4292\n",
- "Image: C:\\Windows\\System32\\svchost.exe\n",
- "Description: Host Process for Windows Services\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: svchost.exe\n",
- "CommandLine: C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 824\n",
- "ParentImage: C:\\Windows\\System32\\services.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\services.exe\n",
- "--------------------------------------------------\n",
- "Message 40:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 41:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 42:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 43:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 44:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 45:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 46:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 47:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1096\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 48:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4196\n",
- "Image: C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe\n",
- "Description: Speech Model Download Executable\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: SpeechModelDownload.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\speech_onecore\\common\\SpeechModelDownload.exe\"\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: NETWORK SERVICE\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 49:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5472\n",
- "Image: C:\\Windows\\System32\\taskhostw.exe\n",
- "Description: Host Process for Windows Tasks\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: taskhostw.exe\n",
- "CommandLine: taskhostw.exe -IntegrityCheck\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 50:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 3320\n",
- "Image: C:\\Windows\\System32\\rundll32.exe\n",
- "Description: Windows host process (Rundll32)\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: RUNDLL32.EXE\n",
- "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 51:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 52:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 53:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 54:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 55:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 56:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 57:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 1184\n",
- "Image: C:\\Windows\\System32\\WinSAT.exe\n",
- "Description: Windows System Assessment Tool\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: WinSAT.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\winsat.exe\" disk -wsswap\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 3320\n",
- "ParentImage: C:\\Windows\\System32\\rundll32.exe\n",
- "ParentCommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n",
- "--------------------------------------------------\n",
- "Message 58:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 3720\n",
- "Image: C:\\Windows\\System32\\Defrag.exe\n",
- "Description: Disk Defragmenter Module\n",
- "Product: Windows Drive Optimizer\n",
- "Company: Microsoft Corp.\n",
- "OriginalFileName: Defrag.EXE\n",
- "CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -p 8a4 -s 0000000000000160 -b -OnlyPreferred C:\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2212\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain\n",
- "--------------------------------------------------\n",
- "Message 59:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 60:\n",
- "Process accessed:\n",
- "RuleName: -\n",
- "SourceProcessId: 1072\n",
- "SourceThreadId: 1132\n",
- "SourceImage: C:\\Windows\\system32\\svchost.exe\n",
- "TargetProcessId: 872\n",
- "TargetImage: C:\\Windows\\system32\\lsass.exe\n",
- "GrantedAccess: 0x1000\n",
- "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n",
- "--------------------------------------------------\n",
- "Message 61:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\previous\\squirrel.exe\n",
- "--------------------------------------------------\n",
- "Message 62:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 63:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 08/28/2020 18:31:14\n",
- "--------------------------------------------------\n",
- "Message 64:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 1.10.54.0\n",
- "--------------------------------------------------\n",
- "Message 65:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\stage\\squirrel.exe\n",
- "--------------------------------------------------\n",
- "Message 66:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 67:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 08/15/2022 18:11:47\n",
- "--------------------------------------------------\n",
- "Message 68:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 3.3.0.0\n",
- "--------------------------------------------------\n",
- "Message 69:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n",
- "--------------------------------------------------\n",
- "Message 70:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 71:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 02/03/2022 01:00:13\n",
- "--------------------------------------------------\n",
- "Message 72:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 3.0.1.0\n",
- "--------------------------------------------------\n",
- "Message 73:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\teams.exe\n",
- "--------------------------------------------------\n",
- "Message 74:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 75:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 04/21/2020 14:21:06\n",
- "--------------------------------------------------\n",
- "Message 76:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 1.3.0.28779\n",
- "--------------------------------------------------\n",
- "Message 77:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\update.exe\n",
- "--------------------------------------------------\n",
- "Message 78:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 79:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 08/28/2020 18:31:14\n",
- "--------------------------------------------------\n",
- "Message 80:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 1.10.54.0\n",
- "--------------------------------------------------\n",
- "Message 81:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: Microsoft Corporation\n",
- "--------------------------------------------------\n",
- "Message 82:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\cookie_exporter.exe\n",
- "--------------------------------------------------\n",
- "Message 83:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 84:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 85:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 86:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\elevation_service.exe\n",
- "--------------------------------------------------\n",
- "Message 87:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 88:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 89:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 90:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\identity_helper.exe\n",
- "--------------------------------------------------\n",
- "Message 91:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 92:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 93:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 94:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n",
- "--------------------------------------------------\n",
- "Message 95:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 96:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 97:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 98:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge.exe\n",
- "--------------------------------------------------\n",
- "Message 99:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 100:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 101:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 102:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedgewebview2.exe\n",
- "--------------------------------------------------\n",
- "Message 103:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 104:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 105:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 106:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_proxy.exe\n",
- "--------------------------------------------------\n",
- "Message 107:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 108:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 109:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 110:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n",
- "--------------------------------------------------\n",
- "Message 111:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 112:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 113:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 114:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\notification_helper.exe\n",
- "--------------------------------------------------\n",
- "Message 115:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 116:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 117:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 118:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\pwahelper.exe\n",
- "--------------------------------------------------\n",
- "Message 119:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 120:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 121:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 122:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\installer\\setup.exe\n",
- "--------------------------------------------------\n",
- "Message 123:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 124:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 125:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 126:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: Microsoft Corporation\n",
- "--------------------------------------------------\n",
- "Message 127:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n",
- "--------------------------------------------------\n",
- "Message 128:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 129:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 08/28/2020 18:31:14\n",
- "--------------------------------------------------\n",
- "Message 130:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 1.10.54.0\n",
- "--------------------------------------------------\n",
- "Message 131:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\cookie_exporter.exe\n",
- "--------------------------------------------------\n",
- "Message 132:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 133:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 134:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 135:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\elevation_service.exe\n",
- "--------------------------------------------------\n",
- "Message 136:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 137:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 138:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 139:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\identity_helper.exe\n",
- "--------------------------------------------------\n",
- "Message 140:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 141:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 142:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 143:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n",
- "--------------------------------------------------\n",
- "Message 144:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 145:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 146:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 147:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge.exe\n",
- "--------------------------------------------------\n",
- "Message 148:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 149:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 150:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 151:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedgewebview2.exe\n",
- "--------------------------------------------------\n",
- "Message 152:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 153:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 154:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 155:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_proxy.exe\n",
- "--------------------------------------------------\n",
- "Message 156:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 157:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 158:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 159:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n",
- "--------------------------------------------------\n",
- "Message 160:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 161:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 162:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 163:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_click_helper.exe\n",
- "--------------------------------------------------\n",
- "Message 164:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 165:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 166:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 167:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_helper.exe\n",
- "--------------------------------------------------\n",
- "Message 168:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 169:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 170:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 171:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\pwahelper.exe\n",
- "--------------------------------------------------\n",
- "Message 172:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 173:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 174:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 175:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\installer\\setup.exe\n",
- "--------------------------------------------------\n",
- "Message 176:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 177:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 06/19/2024 23:34:22\n",
- "--------------------------------------------------\n",
- "Message 178:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 126.0.2592.68\n",
- "--------------------------------------------------\n",
- "Message 179:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: Microsoft Corporation\n",
- "--------------------------------------------------\n",
- "Message 180:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedrivesetup.exe\n",
- "--------------------------------------------------\n",
- "Message 181:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 182:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 04/29/2042 07:55:35\n",
- "--------------------------------------------------\n",
- "Message 183:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 21.220.1024.5\n",
- "--------------------------------------------------\n",
- "Message 184:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedriveupdaterservice.exe\n",
- "--------------------------------------------------\n",
- "Message 185:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 186:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 01/30/2009 20:46:00\n",
- "--------------------------------------------------\n",
- "Message 187:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 21.220.1024.5\n",
- "--------------------------------------------------\n",
- "Message 188:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: Microsoft Corporation\n",
- "--------------------------------------------------\n",
- "Message 189:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 5488\n",
- "Image: C:\\Windows\\System32\\taskhostw.exe\n",
- "Description: Host Process for Windows Tasks\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: taskhostw.exe\n",
- "CommandLine: taskhostw.exe\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 190:\n",
- "Process Create:\n",
- "RuleName: -\n",
- "ProcessId: 4728\n",
- "Image: C:\\Windows\\System32\\SrTasks.exe\n",
- "Description: Microsoft® Windows System Protection background tasks.\n",
- "Product: Microsoft® Windows® Operating System\n",
- "Company: Microsoft Corporation\n",
- "OriginalFileName: srtasks.exe\n",
- "CommandLine: \"C:\\Windows\\system32\\srtasks.exe\" ExecuteScheduledSPPCreation\n",
- "CurrentDirectory: C:\\Windows\\system32\\\n",
- "User: SYSTEM\n",
- "TerminalSessionId: 0\n",
- "IntegrityLevel: System\n",
- "ParentProcessId: 2024\n",
- "ParentImage: C:\\Windows\\System32\\svchost.exe\n",
- "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n",
- "--------------------------------------------------\n",
- "Message 191:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filecoauth.exe\n",
- "--------------------------------------------------\n",
- "Message 192:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 193:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 09/04/1976 00:39:52\n",
- "--------------------------------------------------\n",
- "Message 194:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 21.220.1024.5\n",
- "--------------------------------------------------\n",
- "Message 195:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesyncconfig.exe\n",
- "--------------------------------------------------\n",
- "Message 196:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n",
- "Message 197:\n",
- "Registry value set:\n",
- "RuleName: InvDB-CompileTimeClaim\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 02/11/2005 13:45:08\n",
- "--------------------------------------------------\n",
- "Message 198:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Ver\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: 21.220.1024.5\n",
- "--------------------------------------------------\n",
- "Message 199:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Path\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesynchelper.exe\n",
- "--------------------------------------------------\n",
- "Message 200:\n",
- "Registry value set:\n",
- "RuleName: InvDB-Pub\n",
- "EventType: SetValue\n",
- "ProcessId: 2156\n",
- "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n",
- "Details: microsoft corporation\n",
- "--------------------------------------------------\n"
- ]
- }
- ],
- "execution_count": 3
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:27:52.793229Z",
- "start_time": "2024-06-23T14:27:52.788792Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "## Select specific columns and write to a CSV file\n",
+ "\n",
+ "This is a data reduction approach where only the necessary columns are selected for further processing. The selected columns are then written to a new CSV file for use in subsequent steps."
+ ],
+ "id": "fa298e1c9d0999bd"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"# Assuming df_f is your modified DataFrame with all necessary columns including 'filtered_message'\n",
@@ -2256,81 +254,30 @@
],
"id": "ff54936e81a933fd",
"outputs": [],
- "execution_count": 5
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:27:53.905616Z",
- "start_time": "2024-06-23T14:27:53.898061Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "selected_columns_df.head(5)",
"id": "da3c38ca8c474ba",
- "outputs": [
- {
- "data": {
- "text/plain": [
- "shape: (5, 4)\n",
- "┌─────────────┬─────────────────┬─────────────────────────────────┬─────────────────────┐\n",
- "│ log.level ┆ winlog.event_id ┆ winlog.task ┆ filtered_message │\n",
- "│ --- ┆ --- ┆ --- ┆ --- │\n",
- "│ str ┆ i64 ┆ str ┆ str │\n",
- "╞═════════════╪═════════════════╪═════════════════════════════════╪═════════════════════╡\n",
- "│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n",
- "│ ┆ ┆ ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ … │\n",
- "│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n",
- "│ ┆ ┆ ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ … │\n",
- "│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n",
- "│ ┆ ┆ ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ Pr… │\n",
- "│ information ┆ 13 ┆ Registry value set (rule: Regi… ┆ Registry value set: │\n",
- "│ ┆ ┆ ┆ RuleName: … │\n",
- "│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n",
- "│ ┆ ┆ ┆ RuleName: - │\n",
- "│ ┆ ┆ ┆ Pr… │\n",
- "└─────────────┴─────────────────┴─────────────────────────────────┴─────────────────────┘"
- ],
- "text/html": [
- "
\n",
- "
shape: (5, 4)log.level | winlog.event_id | winlog.task | filtered_message |
---|
str | i64 | str | str |
"information" | 10 | "Process accessed (rule: Proces… | "Process accessed:\n",
- "RuleName: -\n",
- "… |
"information" | 10 | "Process accessed (rule: Proces… | "Process accessed:\n",
- "RuleName: -\n",
- "… |
"information" | 1 | "Process Create (rule: ProcessC… | "Process Create:\n",
- "RuleName: -\n",
- "Pr… |
"information" | 13 | "Registry value set (rule: Regi… | "Registry value set:\n",
- "RuleName: … |
"information" | 1 | "Process Create (rule: ProcessC… | "Process Create:\n",
- "RuleName: -\n",
- "Pr… |
"
- ]
- },
- "execution_count": 6,
- "metadata": {},
- "output_type": "execute_result"
- }
- ],
- "execution_count": 6
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:18.658902Z",
- "start_time": "2024-06-23T14:28:18.654894Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "## Indexing and inserting a new column\n",
+ "\n",
+ "The following code indexes the events in the dataframe and inserts the index as the first column. This step is essential for tracking the order of events and ensuring that the data remains organized throughout the process."
+ ],
+ "id": "b5eb69ab1b69523f"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
- "# Assuming 'selected_columns_df' is your existing DataFrame\n",
"# Create an index series directly\n",
"index_series = pl.Series(\"index\", range(selected_columns_df.height))\n",
"\n",
@@ -2342,271 +289,60 @@
],
"id": "35cd4cc645761608",
"outputs": [],
- "execution_count": 7
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T13:45:49.429720Z",
- "start_time": "2024-06-23T13:43:42.591856Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "## TPOT model training and evaluation\n",
+ "\n",
+ "The following code demonstrates how to train a TPOT model using the data prepared in the previous steps. The model is trained on the vectorized text data and evaluated to determine its performance. The best model is then exported for future use."
+ ],
+ "id": "2173f7e8f3ae63a9"
+ },
+ {
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": "### Install necessary libraries",
+ "id": "2fbe4ebc4d9038a2"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": "%conda install numpy scipy scikit-learn pandas joblib pytorch",
"id": "b3f6a7f89fb1f92e",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Retrieving notices: ...working... done\r\n",
- "Channels:\r\n",
- " - defaults\r\n",
- " - conda-forge\r\n",
- "Platform: osx-64\r\n",
- "Collecting package metadata (repodata.json): done\r\n",
- "Solving environment: done\r\n",
- "\r\n",
- "## Package Plan ##\r\n",
- "\r\n",
- " environment location: /Users/mc/anaconda3\r\n",
- "\r\n",
- " added / updated specs:\r\n",
- " - joblib\r\n",
- " - numpy\r\n",
- " - pandas\r\n",
- " - pytorch\r\n",
- " - scikit-learn\r\n",
- " - scipy\r\n",
- "\r\n",
- "\r\n",
- "The following packages will be downloaded:\r\n",
- "\r\n",
- " package | build\r\n",
- " ---------------------------|-----------------\r\n",
- " joblib-1.4.2 | py311hecd8cb5_0 532 KB\r\n",
- " openpyxl-3.1.2 | py311h6c40b1e_0 644 KB\r\n",
- " pandas-2.2.2 | py311he327ffe_0 14.9 MB\r\n",
- " pytorch-2.3.0 |cpu_py311hfffa08c_0 61.7 MB\r\n",
- " ------------------------------------------------------------\r\n",
- " Total: 77.7 MB\r\n",
- "\r\n",
- "The following NEW packages will be INSTALLED:\r\n",
- "\r\n",
- " gmp pkgs/main/osx-64::gmp-6.2.1-he9d5cce_3 \r\n",
- " gmpy2 pkgs/main/osx-64::gmpy2-2.1.2-py311h1c2e9e1_0 \r\n",
- " mpc pkgs/main/osx-64::mpc-1.1.0-h6ef4df4_1 \r\n",
- " mpfr pkgs/main/osx-64::mpfr-4.0.2-h9066e36_1 \r\n",
- " mpmath pkgs/main/osx-64::mpmath-1.3.0-py311hecd8cb5_0 \r\n",
- " numexpr pkgs/main/osx-64::numexpr-2.8.7-py311h91b6869_0 \r\n",
- " pandas pkgs/main/osx-64::pandas-2.2.2-py311he327ffe_0 \r\n",
- " pytorch pkgs/main/osx-64::pytorch-2.3.0-cpu_py311hfffa08c_0 \r\n",
- " sympy pkgs/main/osx-64::sympy-1.12-py311hecd8cb5_0 \r\n",
- "\r\n",
- "The following packages will be UPDATED:\r\n",
- "\r\n",
- " joblib 1.2.0-py311hecd8cb5_0 --> 1.4.2-py311hecd8cb5_0 \r\n",
- " openpyxl 3.0.10-py311h6c40b1e_0 --> 3.1.2-py311h6c40b1e_0 \r\n",
- "\r\n",
- "\r\n",
- "\r\n",
- "Downloading and Extracting Packages:\r\n",
- "pytorch-2.3.0 | 61.7 MB | | 0% \r\n",
- "pandas-2.2.2 | 14.9 MB | | 0% \u001B[A\r\n",
- "\r\n",
- "openpyxl-3.1.2 | 644 KB | | 0% \u001B[A\u001B[A\r\n",
- "\r\n",
- "\r\n",
- "joblib-1.4.2 | 532 KB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
- "\r\n",
- "openpyxl-3.1.2 | 644 KB | 9 | 2% \u001B[A\u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | | 0% \u001B[A\r\n",
- "\r\n",
- "\r\n",
- "pytorch-2.3.0 | 61.7 MB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
- "\r\n",
- "openpyxl-3.1.2 | 644 KB | ########2 | 22% \u001B[A\u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | 3 | 1% \u001B[A\r\n",
- "\r\n",
- "\r\n",
- "pytorch-2.3.0 | 61.7 MB | | 0% \u001B[A\u001B[A\u001B[A\r\n",
- "\r\n",
- "openpyxl-3.1.2 | 644 KB | #####################1 | 57% \u001B[A\u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | 7 | 2% \u001B[A\r\n",
- "\r\n",
- "\r\n",
- "pytorch-2.3.0 | 61.7 MB | 1 | 0% \u001B[A\u001B[A\u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | #1 | 3% \u001B[A\r\n",
- "\r\n",
- "openpyxl-3.1.2 | 644 KB | ################################1 | 87% \u001B[A\u001B[A\r\n",
- "\r\n",
- "\r\n",
- "pytorch-2.3.0 | 61.7 MB | 2 | 1% \u001B[A\u001B[A\u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | 4 | 1% \u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | ###4 | 9% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | 6 | 2% \u001B[A\r\n",
- "\r\n",
- "\r\n",
- "joblib-1.4.2 | 532 KB | ##################################### | 100% \u001B[A\u001B[A\u001B[A\r\n",
- "\r\n",
- "\r\n",
- "joblib-1.4.2 | 532 KB | ##################################### | 100% \u001B[A\u001B[A\u001B[A\r\n",
- "\r\n",
- "pytorch-2.3.0 | 61.7 MB | 7 | 2% \u001B[A\u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | 8 | 2% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #1 | 3% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #3 | 4% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #4 | 4% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #9 | 5% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ##1 | 6% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ##4 | 7% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ##8 | 8% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ### | 8% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ###4 | 9% \u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | ######################## | 65% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #### | 11% \u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | ############################# | 78% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ####5 | 12% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #####1 | 14% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | #####3 | 15% \u001B[A\r\n",
- "pytorch-2.3.0 | 61.7 MB | ############1 | 33% \u001B[A\r\n",
- "pandas-2.2.2 | 14.9 MB | ##################################### | 100% \u001B[A\r\n",
- " \u001B[A\r\n",
- " \u001B[A\r\n",
- "\r\n",
- " \u001B[A\u001B[A\r\n",
- "\r\n",
- "\r\n",
- " \u001B[A\u001B[A\u001B[A\r\n",
- "Preparing transaction: done\r\n",
- "Verifying transaction: done\r\n",
- "Executing transaction: done\r\n",
- "\n",
- "Note: you may need to restart the kernel to use updated packages.\n"
- ]
- }
- ],
- "execution_count": 62
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T13:56:10.774237Z",
- "start_time": "2024-06-23T13:55:53.417184Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "%pip install deap update_checker tqdm stopit xgboost",
"id": "47de32d351fad54f",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Collecting deap\r\n",
- " Downloading deap-1.4.1.tar.gz (1.1 MB)\r\n",
- "\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m1.1/1.1 MB\u001B[0m \u001B[31m3.3 MB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m00:01\u001B[0m00:01\u001B[0m0m\r\n",
- "\u001B[?25h Preparing metadata (setup.py) ... \u001B[?25ldone\r\n",
- "\u001B[?25hCollecting update_checker\r\n",
- " Downloading update_checker-0.18.0-py3-none-any.whl.metadata (2.3 kB)\r\n",
- "Requirement already satisfied: tqdm in /Users/mc/anaconda3/lib/python3.11/site-packages (4.65.0)\r\n",
- "Collecting stopit\r\n",
- " Downloading stopit-1.1.2.tar.gz (18 kB)\r\n",
- " Preparing metadata (setup.py) ... \u001B[?25ldone\r\n",
- "\u001B[?25hRequirement already satisfied: xgboost in /Users/mc/anaconda3/lib/python3.11/site-packages (2.0.3)\r\n",
- "Requirement already satisfied: numpy in /Users/mc/anaconda3/lib/python3.11/site-packages (from deap) (1.26.4)\r\n",
- "Requirement already satisfied: requests>=2.3.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from update_checker) (2.31.0)\r\n",
- "Requirement already satisfied: scipy in /Users/mc/anaconda3/lib/python3.11/site-packages (from xgboost) (1.10.0)\r\n",
- "Requirement already satisfied: charset-normalizer<4,>=2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2.0.4)\r\n",
- "Requirement already satisfied: idna<4,>=2.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (3.4)\r\n",
- "Requirement already satisfied: urllib3<3,>=1.21.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2.0.7)\r\n",
- "Requirement already satisfied: certifi>=2017.4.17 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update_checker) (2024.6.2)\r\n",
- "Downloading update_checker-0.18.0-py3-none-any.whl (7.0 kB)\r\n",
- "Building wheels for collected packages: deap, stopit\r\n",
- " Building wheel for deap (setup.py) ... \u001B[?25ldone\r\n",
- "\u001B[?25h Created wheel for deap: filename=deap-1.4.1-cp311-cp311-macosx_10_9_x86_64.whl size=104125 sha256=f96288a3d78b5805d248bd7b3b208fde1cc034141a602688c3fda474dd70351f\r\n",
- " Stored in directory: /Users/mc/Library/Caches/pip/wheels/f8/64/b8/65eacfbff3024ae2e2beb22e691d5c8abb89fbd863b8049b5f\r\n",
- " Building wheel for stopit (setup.py) ... \u001B[?25ldone\r\n",
- "\u001B[?25h Created wheel for stopit: filename=stopit-1.1.2-py3-none-any.whl size=11939 sha256=97f0cca9a0cd37dfe9b6f44dd8ab496a305c15a23e1b1f61fb45480eb31d7968\r\n",
- " Stored in directory: /Users/mc/Library/Caches/pip/wheels/da/77/2d/adbc56bc4db95ad80c6d4e71cd69e2d9d122174904342e3f7f\r\n",
- "Successfully built deap stopit\r\n",
- "Installing collected packages: stopit, deap, update_checker\r\n",
- "Successfully installed deap-1.4.1 stopit-1.1.2 update_checker-0.18.0\r\n",
- "Note: you may need to restart the kernel to use updated packages.\n"
- ]
- }
- ],
- "execution_count": 63
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:01:04.898242Z",
- "start_time": "2024-06-23T14:00:53.155446Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "%pip install tpot",
"id": "737d462c559936e2",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Collecting tpot\r\n",
- " Downloading TPOT-0.12.2-py3-none-any.whl.metadata (2.0 kB)\r\n",
- "Requirement already satisfied: numpy>=1.16.3 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.26.4)\r\n",
- "Requirement already satisfied: scipy>=1.3.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.10.0)\r\n",
- "Collecting scikit-learn>=1.4.1 (from tpot)\r\n",
- " Downloading scikit_learn-1.5.0-cp311-cp311-macosx_10_9_x86_64.whl.metadata (11 kB)\r\n",
- "Requirement already satisfied: deap>=1.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.4.1)\r\n",
- "Requirement already satisfied: update-checker>=0.16 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (0.18.0)\r\n",
- "Requirement already satisfied: tqdm>=4.36.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (4.65.0)\r\n",
- "Requirement already satisfied: stopit>=1.1.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.1.2)\r\n",
- "Requirement already satisfied: pandas>=0.24.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (2.2.2)\r\n",
- "Requirement already satisfied: joblib>=0.13.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (1.4.2)\r\n",
- "Requirement already satisfied: xgboost>=1.1.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from tpot) (2.0.3)\r\n",
- "Requirement already satisfied: python-dateutil>=2.8.2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2.8.2)\r\n",
- "Requirement already satisfied: pytz>=2020.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2023.3.post1)\r\n",
- "Requirement already satisfied: tzdata>=2022.7 in /Users/mc/anaconda3/lib/python3.11/site-packages (from pandas>=0.24.2->tpot) (2023.3)\r\n",
- "Collecting threadpoolctl>=3.1.0 (from scikit-learn>=1.4.1->tpot)\r\n",
- " Downloading threadpoolctl-3.5.0-py3-none-any.whl.metadata (13 kB)\r\n",
- "Requirement already satisfied: requests>=2.3.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from update-checker>=0.16->tpot) (2.31.0)\r\n",
- "Requirement already satisfied: six>=1.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from python-dateutil>=2.8.2->pandas>=0.24.2->tpot) (1.16.0)\r\n",
- "Requirement already satisfied: charset-normalizer<4,>=2 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2.0.4)\r\n",
- "Requirement already satisfied: idna<4,>=2.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (3.4)\r\n",
- "Requirement already satisfied: urllib3<3,>=1.21.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2.0.7)\r\n",
- "Requirement already satisfied: certifi>=2017.4.17 in /Users/mc/anaconda3/lib/python3.11/site-packages (from requests>=2.3.0->update-checker>=0.16->tpot) (2024.6.2)\r\n",
- "Downloading TPOT-0.12.2-py3-none-any.whl (87 kB)\r\n",
- "\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m87.4/87.4 kB\u001B[0m \u001B[31m800.0 kB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m\u001B[36m0:00:01\u001B[0m0m\r\n",
- "\u001B[?25hDownloading scikit_learn-1.5.0-cp311-cp311-macosx_10_9_x86_64.whl (12.1 MB)\r\n",
- "\u001B[2K \u001B[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001B[0m \u001B[32m12.1/12.1 MB\u001B[0m \u001B[31m6.9 MB/s\u001B[0m eta \u001B[36m0:00:00\u001B[0m00:01\u001B[0m00:01\u001B[0m\r\n",
- "\u001B[?25hDownloading threadpoolctl-3.5.0-py3-none-any.whl (18 kB)\r\n",
- "Installing collected packages: threadpoolctl, scikit-learn, tpot\r\n",
- " Attempting uninstall: threadpoolctl\r\n",
- " Found existing installation: threadpoolctl 2.2.0\r\n",
- " Uninstalling threadpoolctl-2.2.0:\r\n",
- " Successfully uninstalled threadpoolctl-2.2.0\r\n",
- " Attempting uninstall: scikit-learn\r\n",
- " Found existing installation: scikit-learn 1.1.3\r\n",
- " Uninstalling scikit-learn-1.1.3:\r\n",
- " Successfully uninstalled scikit-learn-1.1.3\r\n",
- "\u001B[31mERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.\r\n",
- "orange3 3.36.2 requires scikit-learn!=1.2.*,<1.4,>=1.1.0, but you have scikit-learn 1.5.0 which is incompatible.\u001B[0m\u001B[31m\r\n",
- "\u001B[0mSuccessfully installed scikit-learn-1.5.0 threadpoolctl-3.5.0 tpot-0.12.2\r\n",
- "Note: you may need to restart the kernel to use updated packages.\n"
- ]
- }
- ],
- "execution_count": 65
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:38.433594Z",
- "start_time": "2024-06-23T14:28:27.080547Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "### Initialize TPOT for Genetic Programming on the CPU\n",
+ "\n",
+ "The following code initializes a TPOT classifier for genetic programming on the CPU. The classifier is trained on the vectorized text data and evaluated to determine its performance. The best model is then exported for future use."
+ ],
+ "id": "ddf2807e5c8a393b"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"import os\n",
@@ -2621,25 +357,21 @@
"from sklearn.preprocessing import LabelEncoder"
],
"id": "ae96e41f08c7908b",
- "outputs": [
- {
- "name": "stderr",
- "output_type": "stream",
- "text": [
- "/Users/mc/anaconda3/lib/python3.11/site-packages/transformers/utils/generic.py:260: UserWarning: torch.utils._pytree._register_pytree_node is deprecated. Please use torch.utils._pytree.register_pytree_node instead.\n",
- " torch.utils._pytree._register_pytree_node(\n"
- ]
- }
- ],
- "execution_count": 8
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:38.439369Z",
- "start_time": "2024-06-23T14:28:38.435669Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "### Building the feature vector\n",
+ "\n",
+ "Here a feature vector is build to extract the relevant features from Sysmon traces. The feature vector is then used to train the TPOT classifier."
+ ],
+ "id": "33c422b756ff0d9b"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"# Extract relevant information using regular expressions\n",
@@ -2654,15 +386,10 @@
],
"id": "5cecd995c579cd0f",
"outputs": [],
- "execution_count": 9
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:38.453982Z",
- "start_time": "2024-06-23T14:28:38.440333Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"# Apply extraction to the Polars DataFrame using map_elements\n",
@@ -2672,15 +399,10 @@
],
"id": "c2f84d1d644f9111",
"outputs": [],
- "execution_count": 10
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:38.462528Z",
- "start_time": "2024-06-23T14:28:38.456183Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"# Extract fields from the extracted_info column using map_elements with return_dtype\n",
@@ -2692,92 +414,30 @@
],
"id": "b4c8e805cdb9b634",
"outputs": [],
- "execution_count": 11
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:38.467734Z",
- "start_time": "2024-06-23T14:28:38.463610Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "print(selected_columns_df)",
"id": "c700056897cc8dd8",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "shape: (1_027, 8)\n",
- "┌───────┬────────────┬────────────┬────────────┬────────────┬────────────┬────────────┬────────────┐\n",
- "│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ filtered_m ┆ image ┆ target_fil ┆ text │\n",
- "│ --- ┆ --- ┆ nt_id ┆ k ┆ essage ┆ --- ┆ ename ┆ --- │\n",
- "│ i64 ┆ str ┆ --- ┆ --- ┆ --- ┆ str ┆ --- ┆ str │\n",
- "│ ┆ ┆ i64 ┆ str ┆ str ┆ ┆ str ┆ │\n",
- "╞═══════╪════════════╪════════════╪════════════╪════════════╪════════════╪════════════╪════════════╡\n",
- "│ 0 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ \\system32\\ ┆ ┆ accessed: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ svchost.ex ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ Proces… ┆ - ┆ … ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
- "│ 1 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ \\system32\\ ┆ ┆ accessed: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ svchost.ex ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ Proces… ┆ - ┆ … ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
- "│ 2 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\servicing ┆ ┆ Create: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ \\TrustedIn ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
- "│ 3 ┆ informatio ┆ 13 ┆ Registry ┆ Registry ┆ C:\\Windows ┆ ┆ Registry │\n",
- "│ ┆ n ┆ ┆ value set ┆ value set: ┆ \\servicing ┆ ┆ value set: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ \\TrustedIn ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ Regi… ┆ … ┆ … ┆ ┆ … │\n",
- "│ 4 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\WinSxS\\am ┆ ┆ Create: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ d64_micros ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
- "│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
- "│ 1022 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ Create ┆ Create: ┆ Files (x86 ┆ ┆ Create: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ )\\Microso… ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ - ┆ ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
- "│ 1023 ┆ informatio ┆ 10 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ accessed ┆ accessed: ┆ Files (x86 ┆ ┆ accessed: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ )\\Microso… ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ Proces… ┆ - ┆ ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ … ┆ ┆ ┆ … │\n",
- "│ 1024 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Windows ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ Create ┆ Create: ┆ \\System32\\ ┆ ┆ Create: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ taskhostw. ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ - ┆ … ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
- "│ 1025 ┆ informatio ┆ 22 ┆ Dns query ┆ Dns query: ┆ ┆ ┆ Dns query: │\n",
- "│ ┆ n ┆ ┆ (rule: ┆ RuleName: ┆ ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ DnsQuery) ┆ - ┆ ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Process… ┆ ┆ ┆ Process… │\n",
- "│ 1026 ┆ informatio ┆ 1 ┆ Process ┆ Process ┆ C:\\Program ┆ ┆ Process │\n",
- "│ ┆ n ┆ ┆ Create ┆ Create: ┆ Files\\RUXI ┆ ┆ Create: │\n",
- "│ ┆ ┆ ┆ (rule: ┆ RuleName: ┆ M\\PLUGSch… ┆ ┆ RuleName: │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ - ┆ ┆ ┆ - │\n",
- "│ ┆ ┆ ┆ ┆ Pr… ┆ ┆ ┆ Pr… │\n",
- "└───────┴────────────┴────────────┴────────────┴────────────┴────────────┴────────────┴────────────┘\n"
- ]
- }
- ],
- "execution_count": 12
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:28:58.121865Z",
- "start_time": "2024-06-23T14:28:58.118749Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "#### Define the label based on conditions\n",
+ "\n",
+ "The following code defines the label based on specific conditions. The conditions are applied to the image and target_filename columns to determine whether the event is malicious or benign. The label is then assigned accordingly. This step is crucial for training the TPOT classifier.\n",
+ "\n",
+ "This is a single-label classification problem, where the label is binary (good or bad)."
+ ],
+ "id": "3df9414538271fdc"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"def define_label(row):\n",
@@ -2790,15 +450,10 @@
],
"id": "8d21ff3214accd7a",
"outputs": [],
- "execution_count": 13
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:29:01.928229Z",
- "start_time": "2024-06-23T14:29:01.923231Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"# Apply the define_label function\n",
@@ -2808,132 +463,39 @@
],
"id": "3017223325f75d03",
"outputs": [],
- "execution_count": 14
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:29:02.937309Z",
- "start_time": "2024-06-23T14:29:02.933702Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "print(selected_columns_df)",
"id": "feac611ac2db9fb",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "shape: (1_027, 9)\n",
- "┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬────────────┬───────┐\n",
- "│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ image ┆ target_fil ┆ text ┆ label │\n",
- "│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ --- ┆ ename ┆ --- ┆ --- │\n",
- "│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ str ┆ --- ┆ str ┆ str │\n",
- "│ ┆ ┆ i64 ┆ str ┆ ┆ ┆ str ┆ ┆ │\n",
- "╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪════════════╪═══════╡\n",
- "│ 0 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ \\system32\\ ┆ ┆ accessed: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ svchost.ex ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ … ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
- "│ 1 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ \\system32\\ ┆ ┆ accessed: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ svchost.ex ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ … ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
- "│ 2 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ \\servicing ┆ ┆ Create: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ \\TrustedIn ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "│ 3 ┆ information ┆ 13 ┆ Registry ┆ … ┆ C:\\Windows ┆ ┆ Registry ┆ good │\n",
- "│ ┆ ┆ ┆ value set ┆ ┆ \\servicing ┆ ┆ value set: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ \\TrustedIn ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ Regi… ┆ ┆ … ┆ ┆ … ┆ │\n",
- "│ 4 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ \\WinSxS\\am ┆ ┆ Create: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ d64_micros ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
- "│ 1022 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ Files (x86 ┆ ┆ Create: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ )\\Microso… ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "│ 1023 ┆ information ┆ 10 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ Files (x86 ┆ ┆ accessed: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ )\\Microso… ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ │\n",
- "│ 1024 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Windows ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ \\System32\\ ┆ ┆ Create: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ taskhostw. ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ … ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "│ 1025 ┆ information ┆ 22 ┆ Dns query ┆ … ┆ ┆ ┆ Dns query: ┆ good │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ DnsQuery) ┆ ┆ ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Process… ┆ │\n",
- "│ 1026 ┆ information ┆ 1 ┆ Process ┆ … ┆ C:\\Program ┆ ┆ Process ┆ good │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ Files\\RUXI ┆ ┆ Create: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ M\\PLUGSch… ┆ ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ ┆ - ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴────────────┴───────┘\n"
- ]
- }
- ],
- "execution_count": 15
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:30:07.444109Z",
- "start_time": "2024-06-23T14:30:07.436034Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"bad_rows = selected_columns_df.filter(pl.col(\"label\") == \"bad\")\n",
"print(bad_rows)"
],
"id": "5d634a8db0b99c4",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "shape: (2, 9)\n",
- "┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬────────────┬───────┐\n",
- "│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ image ┆ target_fil ┆ text ┆ label │\n",
- "│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ --- ┆ ename ┆ --- ┆ --- │\n",
- "│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ str ┆ --- ┆ str ┆ str │\n",
- "│ ┆ ┆ i64 ┆ str ┆ ┆ ┆ str ┆ ┆ │\n",
- "╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪════════════╪═══════╡\n",
- "│ 832 ┆ information ┆ 11 ┆ File ┆ … ┆ C:\\Program ┆ C:\\Users\\s ┆ File ┆ bad │\n",
- "│ ┆ ┆ ┆ created ┆ ┆ Files\\Micr ┆ tudent\\App ┆ created: ┆ │\n",
- "│ ┆ ┆ ┆ (rule: Fil ┆ ┆ osoft Off… ┆ Data\\Local ┆ RuleName: ┆ │\n",
- "│ ┆ ┆ ┆ eCreate… ┆ ┆ ┆ … ┆ EXE ┆ │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ │\n",
- "│ 874 ┆ information ┆ 3 ┆ Network ┆ … ┆ C:\\Users\\s ┆ ┆ Network ┆ bad │\n",
- "│ ┆ ┆ ┆ connection ┆ ┆ tudent\\App ┆ ┆ connection ┆ │\n",
- "│ ┆ ┆ ┆ detected ┆ ┆ Data\\Local ┆ ┆ detected: ┆ │\n",
- "│ ┆ ┆ ┆ (r… ┆ ┆ … ┆ ┆ R… ┆ │\n",
- "└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴────────────┴───────┘\n"
- ]
- }
- ],
- "execution_count": 16
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:37:58.896397Z",
- "start_time": "2024-06-23T14:30:20.524206Z"
- }
- },
+ "metadata": {},
+ "cell_type": "markdown",
+ "source": [
+ "### Vectorizing the text data using BERT\n",
+ "\n",
+ "The following code demonstrates how to vectorize the text data using BERT. The vectorized text data is then used as input for the TPOT classifier. The BERT model is loaded and applied to the text column in the DataFrame to generate the feature vector."
+ ],
+ "id": "a4697a39b64b182f"
+ },
+ {
+ "metadata": {},
"cell_type": "code",
"source": [
"tokenizer = BertTokenizer.from_pretrained('bert-base-uncased')\n",
@@ -2952,88 +514,11 @@
"print(selected_columns_df)"
],
"id": "9262f948e3361ee9",
- "outputs": [
- {
- "name": "stderr",
- "output_type": "stream",
- "text": [
- "/Users/mc/anaconda3/lib/python3.11/site-packages/huggingface_hub/file_download.py:1132: FutureWarning: `resume_download` is deprecated and will be removed in version 1.0.0. Downloads always resume when possible. If you want to force a new download, use `force_download=True`.\n",
- " warnings.warn(\n"
- ]
- },
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "shape: (1_027, 10)\n",
- "┌───────┬─────────────┬────────────┬────────────┬───┬────────────┬────────────┬───────┬────────────┐\n",
- "│ index ┆ log.level ┆ winlog.eve ┆ winlog.tas ┆ … ┆ target_fil ┆ text ┆ label ┆ text_vecto │\n",
- "│ --- ┆ --- ┆ nt_id ┆ k ┆ ┆ ename ┆ --- ┆ --- ┆ r │\n",
- "│ i64 ┆ str ┆ --- ┆ --- ┆ ┆ --- ┆ str ┆ str ┆ --- │\n",
- "│ ┆ ┆ i64 ┆ str ┆ ┆ str ┆ ┆ ┆ object │\n",
- "╞═══════╪═════════════╪════════════╪════════════╪═══╪════════════╪════════════╪═══════╪════════════╡\n",
- "│ 0 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.212887 │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 05e-01 -8. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 51057563e- │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
- "│ 1 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.122658 │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 13e-01 -9. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 11662821e- │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
- "│ 2 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.229663 │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 37e-01 -5. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 04846917e- │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
- "│ 3 ┆ information ┆ 13 ┆ Registry ┆ … ┆ ┆ Registry ┆ good ┆ [-2.114389 │\n",
- "│ ┆ ┆ ┆ value set ┆ ┆ ┆ value set: ┆ ┆ 69e-01 -1. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 26859054e- │\n",
- "│ ┆ ┆ ┆ Regi… ┆ ┆ ┆ … ┆ ┆ … │\n",
- "│ 4 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.781927 │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 82e-01 │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 1.29612401 │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ e-… │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
- "│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n",
- "│ 1022 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.417365 │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 55e-01 -7. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 53258318e- │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
- "│ 1023 ┆ information ┆ 10 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-2.859322 │\n",
- "│ ┆ ┆ ┆ accessed ┆ ┆ ┆ accessed: ┆ ┆ 73e-01 │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 3.61725502 │\n",
- "│ ┆ ┆ ┆ Proces… ┆ ┆ ┆ - ┆ ┆ e-… │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ … ┆ ┆ │\n",
- "│ 1024 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.556979 │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 30e-01 -3. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 89229059e- │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
- "│ 1025 ┆ information ┆ 22 ┆ Dns query ┆ … ┆ ┆ Dns query: ┆ good ┆ [-2.601829 │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 47e-01 -1. │\n",
- "│ ┆ ┆ ┆ DnsQuery) ┆ ┆ ┆ - ┆ ┆ 70182362e- │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Process… ┆ ┆ … │\n",
- "│ 1026 ┆ information ┆ 1 ┆ Process ┆ … ┆ ┆ Process ┆ good ┆ [-3.442858 │\n",
- "│ ┆ ┆ ┆ Create ┆ ┆ ┆ Create: ┆ ┆ 46e-01 -9. │\n",
- "│ ┆ ┆ ┆ (rule: ┆ ┆ ┆ RuleName: ┆ ┆ 36851799e- │\n",
- "│ ┆ ┆ ┆ ProcessC… ┆ ┆ ┆ - ┆ ┆ … │\n",
- "│ ┆ ┆ ┆ ┆ ┆ ┆ Pr… ┆ ┆ │\n",
- "└───────┴─────────────┴────────────┴────────────┴───┴────────────┴────────────┴───────┴────────────┘\n"
- ]
- }
- ],
- "execution_count": 17
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:42:20.663602Z",
- "start_time": "2024-06-23T14:42:20.350354Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"df = selected_columns_df.to_pandas()\n",
@@ -3043,15 +528,10 @@
],
"id": "91e007e2b208dc7f",
"outputs": [],
- "execution_count": 23
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T14:42:43.948447Z",
- "start_time": "2024-06-23T14:42:43.214997Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"import pandas as pd\n",
@@ -3062,102 +542,11 @@
"print(loaded_df)"
],
"id": "48a10b20636b4a2d",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- " index log.level winlog.event_id \\\n",
- "0 0 information 10 \n",
- "1 1 information 10 \n",
- "2 2 information 1 \n",
- "3 3 information 13 \n",
- "4 4 information 1 \n",
- "... ... ... ... \n",
- "1022 1022 information 1 \n",
- "1023 1023 information 10 \n",
- "1024 1024 information 1 \n",
- "1025 1025 information 22 \n",
- "1026 1026 information 1 \n",
- "\n",
- " winlog.task \\\n",
- "0 Process accessed (rule: ProcessAccess) \n",
- "1 Process accessed (rule: ProcessAccess) \n",
- "2 Process Create (rule: ProcessCreate) \n",
- "3 Registry value set (rule: RegistryEvent) \n",
- "4 Process Create (rule: ProcessCreate) \n",
- "... ... \n",
- "1022 Process Create (rule: ProcessCreate) \n",
- "1023 Process accessed (rule: ProcessAccess) \n",
- "1024 Process Create (rule: ProcessCreate) \n",
- "1025 Dns query (rule: DnsQuery) \n",
- "1026 Process Create (rule: ProcessCreate) \n",
- "\n",
- " filtered_message \\\n",
- "0 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
- "1 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
- "2 Process Create:\\nRuleName: -\\nProcessId: 5196\\... \n",
- "3 Registry value set:\\nRuleName: Tamper-Winlogon... \n",
- "4 Process Create:\\nRuleName: -\\nProcessId: 6140\\... \n",
- "... ... \n",
- "1022 Process Create:\\nRuleName: -\\nProcessId: 5312\\... \n",
- "1023 Process accessed:\\nRuleName: -\\nSourceProcessI... \n",
- "1024 Process Create:\\nRuleName: -\\nProcessId: 5000\\... \n",
- "1025 Dns query:\\nRuleName: -\\nProcessId: 9568\\nQuer... \n",
- "1026 Process Create:\\nRuleName: -\\nProcessId: 8728\\... \n",
- "\n",
- " image target_filename \\\n",
- "0 C:\\Windows\\system32\\svchost.exe \n",
- "1 C:\\Windows\\system32\\svchost.exe \n",
- "2 C:\\Windows\\servicing\\TrustedInstaller.exe \n",
- "3 C:\\Windows\\servicing\\TrustedInstaller.exe \n",
- "4 C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv... \n",
- "... ... ... \n",
- "1022 C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Mi... \n",
- "1023 C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Mi... \n",
- "1024 C:\\Windows\\System32\\taskhostw.exe \n",
- "1025 \n",
- "1026 C:\\Program Files\\RUXIM\\PLUGScheduler.exe \n",
- "\n",
- " text label \\\n",
- "0 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
- "1 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
- "2 Process Create:\\nRuleName: -\\nProcessId: 5196\\... good \n",
- "3 Registry value set:\\nRuleName: Tamper-Winlogon... good \n",
- "4 Process Create:\\nRuleName: -\\nProcessId: 6140\\... good \n",
- "... ... ... \n",
- "1022 Process Create:\\nRuleName: -\\nProcessId: 5312\\... good \n",
- "1023 Process accessed:\\nRuleName: -\\nSourceProcessI... good \n",
- "1024 Process Create:\\nRuleName: -\\nProcessId: 5000\\... good \n",
- "1025 Dns query:\\nRuleName: -\\nProcessId: 9568\\nQuer... good \n",
- "1026 Process Create:\\nRuleName: -\\nProcessId: 8728\\... good \n",
- "\n",
- " text_vector \n",
- "0 [-0.32128870487213135, -0.008510575629770756, ... \n",
- "1 [-0.3122658133506775, -0.00911662820726633, 0.... \n",
- "2 [-0.3229663372039795, -0.0005048469174653292, ... \n",
- "3 [-0.21143896877765656, -0.12685905396938324, 0... \n",
- "4 [-0.3781927824020386, 0.12961240112781525, 0.4... \n",
- "... ... \n",
- "1022 [-0.3417365550994873, -0.07532583177089691, 0.... \n",
- "1023 [-0.2859322726726532, 0.0036172550171613693, 0... \n",
- "1024 [-0.3556979298591614, -0.038922905921936035, 0... \n",
- "1025 [-0.2601829469203949, -0.17018236219882965, 0.... \n",
- "1026 [-0.34428584575653076, -0.09368517994880676, 0... \n",
- "\n",
- "[1027 rows x 10 columns]\n"
- ]
- }
- ],
- "execution_count": 25
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T15:40:20.568804Z",
- "start_time": "2024-06-23T15:35:44.243587Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"import os\n",
@@ -3203,161 +592,27 @@
"print(\"Predictions:\", predictions)\n"
],
"id": "75d84e297b03eaf4",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "32 operators have been imported by TPOT.\n"
- ]
- },
- {
- "data": {
- "text/plain": [
- "Optimization Progress: 0%| | 0/120 [00:00, ?pipeline/s]"
- ],
- "application/vnd.jupyter.widget-view+json": {
- "version_major": 2,
- "version_minor": 0,
- "model_id": "cdd334c618a04e55a3f580c1d7e5239b"
- }
- },
- "metadata": {},
- "output_type": "display_data"
- },
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=True.\n",
- "\n",
- "Generation 1 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=False.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "\n",
- "Generation 2 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Unsupported set of arguments: The combination of penalty='l1' and loss='squared_hinge' are not supported when dual=True, Parameters: penalty='l1', loss='squared_hinge', dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "\n",
- "Generation 3 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "\n",
- "Generation 4 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=1 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=2 Unsupported set of arguments: The combination of penalty='l1' and loss='hinge' is not supported, Parameters: penalty='l1', loss='hinge', dual=False.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=3 Solver lbfgs supports only dual=False, got dual=True.\n",
- "\n",
- "Generation 5 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tLogisticRegression(input_matrix, LogisticRegression__C=20.0, LogisticRegression__dual=False, LogisticRegression__penalty=l2)\n",
- "TPOT Score: 1.0\n",
- "import numpy as np\n",
- "import pandas as pd\n",
- "from sklearn.linear_model import LogisticRegression\n",
- "from sklearn.model_selection import train_test_split\n",
- "\n",
- "# NOTE: Make sure that the outcome column is labeled 'target' in the data file\n",
- "tpot_data = pd.read_csv('PATH/TO/DATA/FILE', sep='COLUMN_SEPARATOR', dtype=np.float64)\n",
- "features = tpot_data.drop('target', axis=1)\n",
- "training_features, testing_features, training_target, testing_target = \\\n",
- " train_test_split(features, tpot_data['target'], random_state=None)\n",
- "\n",
- "# Average CV score on the training set was: 0.9975683665927569\n",
- "exported_pipeline = LogisticRegression(C=20.0, dual=False, penalty=\"l2\")\n",
- "\n",
- "exported_pipeline.fit(training_features, training_target)\n",
- "results = exported_pipeline.predict(testing_features)\n",
- "\n",
- "Predictions: [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1]\n"
- ]
- }
- ],
- "execution_count": 28
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T15:40:32.639885Z",
- "start_time": "2024-06-23T15:40:32.632855Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "print(\"The accuracy of the best model is: \", tpot.score(X_test, y_test))\n",
"id": "6cf76b5736411710",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "The accuracy of the best model is: 1.0\n"
- ]
- }
- ],
- "execution_count": 29
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T15:45:08.745744Z",
- "start_time": "2024-06-23T15:45:04.326699Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": "%pip install matplotlib",
"id": "d99c8aa5529a72d1",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Requirement already satisfied: matplotlib in /Users/mc/anaconda3/lib/python3.11/site-packages (3.8.0)\r\n",
- "Requirement already satisfied: contourpy>=1.0.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.2.0)\r\n",
- "Requirement already satisfied: cycler>=0.10 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (0.11.0)\r\n",
- "Requirement already satisfied: fonttools>=4.22.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (4.25.0)\r\n",
- "Requirement already satisfied: kiwisolver>=1.0.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.4.4)\r\n",
- "Requirement already satisfied: numpy<2,>=1.21 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (1.26.4)\r\n",
- "Requirement already satisfied: packaging>=20.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (23.1)\r\n",
- "Requirement already satisfied: pillow>=6.2.0 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (10.2.0)\r\n",
- "Requirement already satisfied: pyparsing>=2.3.1 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (3.0.9)\r\n",
- "Requirement already satisfied: python-dateutil>=2.7 in /Users/mc/anaconda3/lib/python3.11/site-packages (from matplotlib) (2.8.2)\r\n",
- "Requirement already satisfied: six>=1.5 in /Users/mc/anaconda3/lib/python3.11/site-packages (from python-dateutil>=2.7->matplotlib) (1.16.0)\r\n",
- "Note: you may need to restart the kernel to use updated packages.\n"
- ]
- }
- ],
- "execution_count": 30
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T16:14:34.361740Z",
- "start_time": "2024-06-23T15:45:13.819963Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"import os\n",
@@ -3407,109 +662,11 @@
"evaluated_pipelines = tpot.evaluated_individuals_\n"
],
"id": "705690ce71dfda4c",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "32 operators have been imported by TPOT.\n"
- ]
- },
- {
- "data": {
- "text/plain": [
- "Optimization Progress: 0%| | 0/120 [00:00, ?pipeline/s]"
- ],
- "application/vnd.jupyter.widget-view+json": {
- "version_major": 2,
- "version_minor": 0,
- "model_id": "f7e3f3bcb7f64b0eb87cc1a70a31169b"
- }
- },
- "metadata": {},
- "output_type": "display_data"
- },
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "_pre_test decorator: _random_mutation_operator: num_test=0 The 'loss' parameter of SGDClassifier must be a str among {'perceptron', 'squared_hinge', 'modified_huber', 'log_loss', 'huber', 'epsilon_insensitive', 'hinge', 'squared_error', 'squared_epsilon_insensitive'}. Got 'log' instead..\n",
- "\n",
- "Generation 1 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only dual=False, got dual=True.\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "\n",
- "Generation 2 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
- "\n",
- "Generation 3 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Negative values in data passed to MultinomialNB (input X).\n",
- "Pipeline encountered that has previously been evaluated during the optimization process. Using the score from the previous evaluation.\n",
- "\n",
- "Generation 4 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
- "_pre_test decorator: _random_mutation_operator: num_test=0 Solver lbfgs supports only 'l2' or None penalties, got l1 penalty..\n",
- "\n",
- "Generation 5 - Current Pareto front scores:\n",
- "\n",
- "-1\t0.9975683665927569\tGradientBoostingClassifier(input_matrix, GradientBoostingClassifier__learning_rate=0.001, GradientBoostingClassifier__max_depth=9, GradientBoostingClassifier__max_features=0.5, GradientBoostingClassifier__min_samples_leaf=14, GradientBoostingClassifier__min_samples_split=17, GradientBoostingClassifier__n_estimators=100, GradientBoostingClassifier__subsample=0.55)\n",
- "TPOT Score: 1.0\n",
- "import numpy as np\n",
- "import pandas as pd\n",
- "from sklearn.ensemble import GradientBoostingClassifier\n",
- "from sklearn.model_selection import train_test_split\n",
- "\n",
- "# NOTE: Make sure that the outcome column is labeled 'target' in the data file\n",
- "tpot_data = pd.read_csv('PATH/TO/DATA/FILE', sep='COLUMN_SEPARATOR', dtype=np.float64)\n",
- "features = tpot_data.drop('target', axis=1)\n",
- "training_features, testing_features, training_target, testing_target = \\\n",
- " train_test_split(features, tpot_data['target'], random_state=None)\n",
- "\n",
- "# Average CV score on the training set was: 0.9975683665927569\n",
- "exported_pipeline = GradientBoostingClassifier(learning_rate=0.001, max_depth=9, max_features=0.5, min_samples_leaf=14, min_samples_split=17, n_estimators=100, subsample=0.55)\n",
- "\n",
- "exported_pipeline.fit(training_features, training_target)\n",
- "results = exported_pipeline.predict(testing_features)\n",
- "\n",
- "Predictions: [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n",
- " 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1]\n"
- ]
- },
- {
- "ename": "AttributeError",
- "evalue": "'dict' object has no attribute '_final_estimator'",
- "output_type": "error",
- "traceback": [
- "\u001B[0;31m---------------------------------------------------------------------------\u001B[0m",
- "\u001B[0;31mAttributeError\u001B[0m Traceback (most recent call last)",
- "Cell \u001B[0;32mIn[31], line 50\u001B[0m\n\u001B[1;32m 48\u001B[0m model_counter \u001B[38;5;241m=\u001B[39m Counter()\n\u001B[1;32m 49\u001B[0m \u001B[38;5;28;01mfor\u001B[39;00m pipeline \u001B[38;5;129;01min\u001B[39;00m evaluated_pipelines\u001B[38;5;241m.\u001B[39mvalues():\n\u001B[0;32m---> 50\u001B[0m \u001B[38;5;28;01mfor\u001B[39;00m step \u001B[38;5;129;01min\u001B[39;00m pipeline\u001B[38;5;241m.\u001B[39m_final_estimator\u001B[38;5;241m.\u001B[39msteps:\n\u001B[1;32m 51\u001B[0m model_counter[step[\u001B[38;5;241m0\u001B[39m]] \u001B[38;5;241m+\u001B[39m\u001B[38;5;241m=\u001B[39m \u001B[38;5;241m1\u001B[39m\n\u001B[1;32m 53\u001B[0m \u001B[38;5;28mprint\u001B[39m(\u001B[38;5;124m\"\u001B[39m\u001B[38;5;124mModels and their occurrences:\u001B[39m\u001B[38;5;124m\"\u001B[39m)\n",
- "\u001B[0;31mAttributeError\u001B[0m: 'dict' object has no attribute '_final_estimator'"
- ]
- }
- ],
- "execution_count": 31
+ "outputs": [],
+ "execution_count": null
},
{
- "metadata": {
- "ExecuteTime": {
- "end_time": "2024-06-23T16:17:12.274731Z",
- "start_time": "2024-06-23T16:17:11.509163Z"
- }
- },
+ "metadata": {},
"cell_type": "code",
"source": [
"# Count occurrences of each model type\n",
@@ -3538,46 +695,16 @@
"plt.show()"
],
"id": "565066bf3b5f0820",
- "outputs": [
- {
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "Models and their occurrences:\n",
- "GradientBoostingClassifier: 43\n",
- "KNeighborsClassifier: 10\n",
- "DecisionTreeClassifier: 10\n",
- "BernoulliNB: 11\n",
- "LogisticRegression: 4\n",
- "MLPClassifier: 8\n",
- "ExtraTreesClassifier: 8\n",
- "XGBClassifier: 7\n",
- "RandomForestClassifier: 11\n",
- "LinearSVC: 1\n",
- "GaussianNB: 1\n",
- "SGDClassifier: 3\n"
- ]
- },
- {
- "data": {
- "text/plain": [
- "