Parsing Scheduled Task Data Tutorial

example.py

# refer: https://www.reddit.com/r/cybersecurity/comments/ob5yhe/help_parsing_through_aggregated_scheduled_task/

from csv import reader

task_counter = {}

# open the CSV file
with open('example.csv', 'r') as read_obj:

    # use the reader() function we can actually read the CSV format
    csv_reader = reader(read_obj)

    # and then we're going to read each row individually
    for row in csv_reader:
        # now we have 'row' - a list object - which represents 1 row in the CSV

        # for the sake of argument, let's assume the first column
        # contains the executable & path
        # we can access that by using row[0], and we'll call it 'task'
        task = row[0]

        # now for the fun part - if we have never seen this task before,
        # we need to store a new task in the dictionary of tasks
        if task not in task_counter.keys():
            # make a new task that we've seen 0 times
            task_counter[task] = 0

        # now, we've just seen a task, and we KNOW it's in the dictionary
        # (because we just added one if it didn't already)
        # so we can add one to the times we've seen the task
        task_counter[task] = task_counter[task] + 1

# the above section will go on and on until it runs out of rows to read
# and then we will have a dictionary of how many times each task
# occurred across your whole fleet

# so, let's print out tasks that we ONLY SAW ONCE
# maybe because that 1 system is compromised ...
# ... or running specialized software ...

# who knows, this is just a tutorial
# so, we'll check each item in the dictionary
for task, count in task_counter.items():
   # and if we've only seen the task once ...
   if count == 1:
       # print out what the task was
       print(task)

# this will give you a (hopefully) short list of tasks that you can investigate
# there's lots more you could do, but this should give you some more confidence
# in approaching this problem with Python!