How to use the plaso.containers.events function in plaso
To help you get started, we’ve selected a few plaso examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
log2timeline / plaso / tests / storage / test_lib.py View on Github 
event_identifier = test_events[0].GetIdentifier()
event_tag = events.EventTag(comment='My comment')
event_tag.SetEventIdentifier(event_identifier)
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Malware')
event_tags.append(event_tag)
event_identifier = test_events[2].GetIdentifier()
event_tag = events.EventTag(comment='This is interesting')
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabels(['Malware', 'Benign'])
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Interesting')
event_tags.append(event_tag)
return event_tagsAndroid Call History is stored in SQLite database files named contacts2.db.
"""
from __future__ import unicode_literals
from dfdatetime import java_time as dfdatetime_java_time
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import py2to3
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface
class AndroidCallEventData(events.EventData):
"""Android Call event data.
Attributes:
call_type (str): type of call, such as: Incoming, Outgoing, or Missed.
duration (int): number of seconds the call lasted.
name (str): name associated to the remote party.
number (str): phone number associated to the remote party.
"""
DATA_TYPE = 'android:event:call'
def __init__(self):
"""Initializes event data."""
super(AndroidCallEventData, self).__init__(data_type=self.DATA_TYPE)
self.call_type = None
self.duration = Nonefrom __future__ import unicode_literals
from dfdatetime import posix_time as dfdatetime_posix_time
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import errors
from plaso.lib import definitions
# Register the cookie plugins.
from plaso.parsers import cookie_plugins # pylint: disable=unused-import
from plaso.parsers import sqlite
from plaso.parsers.cookie_plugins import manager as cookie_plugins_manager
from plaso.parsers.sqlite_plugins import interface
class FirefoxCookieEventData(events.EventData):
"""Firefox Cookie event data.
Attributes:
cookie_name (str): name field of the cookie.
data (str): cookie data.
httponly (bool): True if the cookie cannot be accessed through client
side script.
host (str): hostname of host that set the cookie value.
path (str): URI of the page that set the cookie.
secure (bool): True if the cookie should only be transmitted over a secure
channel.
"""
DATA_TYPE = 'firefox:cookie:entry'
def __init__(self):from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import errors
from plaso.lib import definitions
from plaso.parsers import dtfabric_parser
from plaso.parsers import logger
from plaso.parsers import manager
# TODO: RFC pending types: resolution, dateTime, rangeOfInteger.
# "dateTime" is not used by Mac OS, instead it uses integer types.
# TODO: Only tested against CUPS IPP MacOS.
class CupsIppEventData(events.EventData):
"""CUPS IPP event data.
Attributes:
application (str): application that prints the document.
data_dict (dict[str, object]): parsed data coming from the file.
computer_name (str): name of the computer.
copies (int): number of copies.
doc_type (str): type of document.
job_id (str): job identifier.
job_name (str): job name.
owner (str): real name of the user.
printer_id (str): identification name of the print.
uri (str): URL of the CUPS service.
user (str): system user name.
"""iMessage and SMS data in OSX and iOS are stored in SQLite databases named
chat.db and sms.db respectively.
"""
from __future__ import unicode_literals
from dfdatetime import cocoa_time as dfdatetime_cocoa_time
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import definitions
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface
class IMessageEventData(events.EventData):
"""iMessage and SMS event data.
Attributes:
attachment_location (str): location of the attachment.
imessage_id (str): mobile number or email address the message was sent
to or received from.
message_type (int): value to indicate the message was sent (1) or
received (0).
read_receipt (bool): True if the message read receipt was received.
service (str): service, which is either SMS or iMessage.
text (str): content of the message.
"""
DATA_TYPE = 'imessage:event:chat'
def __init__(self):from __future__ import unicode_literals
import pyparsing
from dfdatetime import time_elements as dfdatetime_time_elements
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import definitions
from plaso.lib import errors
from plaso.parsers import manager
from plaso.parsers import text_parser
class IISEventData(events.EventData):
"""IIS log event data.
Attributes:
"""
DATA_TYPE = 'iis:log:line'
def __init__(self):
"""Initializes event data."""
super(IISEventData, self).__init__(data_type=self.DATA_TYPE)
class WinIISParser(text_parser.PyparsingSingleLineTextParser):
"""Parses a Microsoft IIS log file."""
NAME = 'winiis'# -*- coding: utf-8 -*-
"""This file contains the Network drive Registry plugin."""
from __future__ import unicode_literals
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import definitions
from plaso.parsers import winreg
from plaso.parsers.winreg_plugins import interface
class NetworkDriveEventData(events.EventData):
"""Network drive event data attribute container.
Attributes:
drive_letter (str): drive letter assigned to network drive.
key_path (str): Windows Registry key path.
server_name (str): name of the server of the network drive.
share_name (str): name of the share of the network drive.
"""
DATA_TYPE = 'windows:registry:network_drive'
def __init__(self):
"""Initializes event data."""
super(NetworkDriveEventData, self).__init__(data_type=self.DATA_TYPE)
self.drive_letter = None
self.key_path = None# pylint: disable=wrong-import-position
from defusedxml import ElementTree
from dfdatetime import posix_time as dfdatetime_posix_time
from dfdatetime import time_elements as dfdatetime_time_elements
from dfdatetime import semantic_time as dfdatetime_semantic_time
from dfvfs.helpers import text_file
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import errors
from plaso.lib import definitions
from plaso.parsers import interface
from plaso.parsers import manager
class OperaTypedHistoryEventData(events.EventData):
"""Opera typed history entry data.
Attributes:
entry_selection (str): information about whether the URL was directly
typed in or the result of the user choosing from the auto complete.
entry_type (str): information about whether the URL was directly typed in
or the result of the user choosing from the auto complete.
url (str): typed URL or hostname.
"""
DATA_TYPE = 'opera:history:typed_entry'
def __init__(self):
"""Initializes event data."""
super(OperaTypedHistoryEventData, self).__init__(data_type=self.DATA_TYPE)
self.entry_selection = Noneimport re
from dfdatetime import time_elements as dfdatetime_time_elements
import pyparsing
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import errors
from plaso.lib import definitions
from plaso.lib import timelib
from plaso.parsers import manager
from plaso.parsers import text_parser
class SyslogLineEventData(events.EventData):
"""Syslog line event data.
Attributes:
body (str): message body.
hostname (str): hostname of the reporter.
pid (str): process identifier of the reporter.
reporter (str): reporter.
severity (str): severity.
"""
DATA_TYPE = 'syslog:line'
def __init__(self, data_type=DATA_TYPE):
"""Initializes an event data attribute container.
Args:data_type=self.DATA_TYPE)
self.access_count = None
self.cached_filename = None
self.cached_file_size = None
self.cache_identifier = None
self.container_identifier = None
self.entry_identifier = None
self.file_extension = None
self.redirect_url = None
self.request_headers = None
self.response_headers = None
self.sync_count = None
self.url = None
class MsieWebCacheLeakFilesEventData(events.EventData):
"""MSIE WebCache LeakFiles event data.
Attributes:
cached_filename (str): name of the cached file.
leak_identifier (int): leak identifier.
"""
DATA_TYPE = 'msie:webcache:leak_file'
def __init__(self):
"""Initializes event data."""
super(MsieWebCacheLeakFilesEventData, self).__init__(
data_type=self.DATA_TYPE)
self.cached_filename = None
self.leak_identifier = Noneplaso
Plaso (log2timeline) - Super timeline all the things
Package Health Score
81 / 100Popular plaso functions
- plaso.containers.events
- plaso.containers.events.EventData
- plaso.containers.sessions.Session
- plaso.containers.time_events
- plaso.containers.time_events.DateTimeValuesEvent
- plaso.engine.knowledge_base.KnowledgeBase
- plaso.formatters.interface
- plaso.formatters.interface.ConditionalEventFormatter
- plaso.formatters.manager
- plaso.formatters.manager.FormattersManager
- plaso.formatters.manager.FormattersManager.RegisterFormatter
- plaso.lib.definitions
- plaso.lib.errors
- plaso.lib.errors.BadConfigObject
- plaso.lib.errors.BadConfigOption
- plaso.lib.errors.ParseError
- plaso.lib.errors.UnableToParseFile
- plaso.lib.py2to3
- plaso.lib.timelib.Timestamp.CopyFromString
- plaso.parsers.manager.ParsersManager.RegisterParser