#### Set up connection with duckdb and attach the original data to new database file that'll store the final training data

In [None]:
import duckdb 
og_data_source = "dataset/cert42.duckdb" 
con = duckdb.connect("dataset/supervised_dataset.duckdb")
res = con.execute(f"ATTACH '{og_data_source}' AS raw_db (READ_ONLY);").df()
print(res)

Empty DataFrame
Columns: [Success]
Index: []


#### Will aggregate our data into 3 new tables 
* pyschometric table (Copy of the original psychometric table, no changes)
* ldap_unified table (Will store all the consolidated information of all 18 months from the LDAP tables, not chronologically ordered)
* logs_unified table (Will store all the consolidated logs, not chronologically ordered) 

#### Constructing pyschometric table 

In [29]:
res = con.execute("""
CREATE TABLE psychometric AS
SELECT
    "employee_name", 
    "user_id",
    "O",
    "C",
    "E",
    "A",
    "N"
FROM raw_db.psychometric;""").df()

print(res)

preview = con.execute("""
SELECT * FROM psychometric LIMIT 5
""").df() 

print(preview)

   Count
0   1000
             employee_name  user_id   O   C   E   A   N
0         Calvin Edan Love  CEL0561  40  39  36  19  40
1  Christine Reagan Deleon  CRD0624  26  22  17  39  32
2    Jade Felicia Caldwell  JFC0557  22  16  23  40  33
3   Aquila Stewart Dejesus  ASD0577  40  48  36  14  37
4        Micah Abdul Rojas  MAR0955  36  44  23  44  25


#### Constructing ldap_unified table  

In [31]:
res = con.execute("""
CREATE TABLE ldap_unified AS

-- Data from LDAP_2009-12
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2009, 12, 01) AS start_date,
    (make_date(2009, 12, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2009-12"

UNION ALL

-- Data from LDAP_2010-01
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 01, 01) AS start_date,
    (make_date(2010, 01, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-01"

UNION ALL

-- Data from LDAP_2010-02
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 02, 01) AS start_date,
    (make_date(2010, 02, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-02"

UNION ALL

-- Data from LDAP_2010-03
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 03, 01) AS start_date,
    (make_date(2010, 03, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-03"

UNION ALL

-- Data from LDAP_2010-04
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 04, 01) AS start_date,
    (make_date(2010, 04, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-04"

UNION ALL

-- Data from LDAP_2010-05
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 05, 01) AS start_date,
    (make_date(2010, 05, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-05"

UNION ALL

-- Data from LDAP_2010-06
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 06, 01) AS start_date,
    (make_date(2010, 06, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-06"

UNION ALL

-- Data from LDAP_2010-07
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 07, 01) AS start_date,
    (make_date(2010, 07, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-07"

UNION ALL

-- Data from LDAP_2010-08
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 08, 01) AS start_date,
    (make_date(2010, 08, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-08"

UNION ALL

-- Data from LDAP_2010-09
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 09, 01) AS start_date,
    (make_date(2010, 09, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-09"

UNION ALL

-- Data from LDAP_2010-10
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 10, 01) AS start_date,
    (make_date(2010, 10, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-10"

UNION ALL

-- Data from LDAP_2010-11
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 11, 01) AS start_date,
    (make_date(2010, 11, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-11"

UNION ALL

-- Data from LDAP_2010-12
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2010, 12, 01) AS start_date,
    (make_date(2010, 12, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2010-12"

UNION ALL

-- Data from LDAP_2011-01
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2011, 01, 01) AS start_date,
    (make_date(2011, 01, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2011-01"

UNION ALL

-- Data from LDAP_2011-02
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2011, 02, 01) AS start_date,
    (make_date(2011, 02, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2011-02"

UNION ALL

-- Data from LDAP_2011-03
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2011, 03, 01) AS start_date,
    (make_date(2011, 03, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2011-03"

UNION ALL

-- Data from LDAP_2011-04
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2011, 04, 01) AS start_date,
    (make_date(2011, 04, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2011-04"

UNION ALL

-- Data from LDAP_2011-05
SELECT
    "employee_name", "user_id", "email", "role", "business_unit", "functional_unit", "department", "team", "supervisor",
    make_date(2011, 05, 01) AS start_date,
    (make_date(2011, 05, 01) + INTERVAL '1 month' - INTERVAL '1 day')::DATE AS end_date
FROM raw_db."LDAP_2011-05";""").df()

print(res)

preview = con.execute("""
SELECT * FROM ldap_unified LIMIT 5
""").df() 

print(preview)

   Count
0  16743
             employee_name  user_id                             email  \
0         Calvin Edan Love  CEL0561         Calvin.Edan.Love@dtaa.com   
1  Christine Reagan Deleon  CRD0624  Christine.Reagan.Deleon@dtaa.com   
2    Jade Felicia Caldwell  JFC0557    Jade.Felicia.Caldwell@dtaa.com   
3   Aquila Stewart Dejesus  ASD0577   Aquila.Stewart.Dejesus@dtaa.com   
4        Micah Abdul Rojas  MAR0955        Micah.Abdul.Rojas@dtaa.com   

                   role  business_unit             functional_unit  \
0    ComputerProgrammer              1  2 - ResearchAndEngineering   
1              Salesman              1       5 - SalesAndMarketing   
2      SoftwareEngineer              1  2 - ResearchAndEngineering   
3  ProductionLineWorker              1           3 - Manufacturing   
4  ProductionLineWorker              1           3 - Manufacturing   

               department               team                  supervisor  \
0  2 - SoftwareManagement       3 - Software  

#### Constructing logs_unified table 

In [2]:
res = con.execute("""
CREATE TABLE logs_unified AS
-- 1. Get Logon events
SELECT
    "user" AS user_id,
    "pc", -- Added PC for better context
    "date" AS timestamp,
    'Logon' AS event_type,
    "activity" AS details
FROM raw_db.logon

UNION ALL

-- 2. Get Device events
SELECT
    "user" AS user_id,
    "pc", -- Added
    "date" AS timestamp,
    'Device' AS event_type,
    "activity" AS details
FROM raw_db.device

UNION ALL

-- 3. Get HTTP events
SELECT
    "user" AS user_id,
    "pc", -- Added
    "date" AS timestamp,
    'HTTP' AS event_type,
    "url" AS details
FROM raw_db.http

UNION ALL

-- 4. Get File events
SELECT
    "user" AS user_id,
    "pc", -- Added
    "date" AS timestamp,
    'File' AS event_type,
    "filename" AS details
FROM raw_db.file

UNION ALL

-- 5. Get Email events
SELECT
    "user" AS user_id,
    "pc", -- Added
    "date" AS timestamp,
    'Email' AS event_type,
    'To:' || "to" || '; Attachments:' || "attachments" AS details
FROM raw_db.email;""").df()

print(res)

preview = con.execute("""
SELECT * FROM logs_unified LIMIT 5
""").df() 

print(preview)

FloatProgress(value=0.0, layout=Layout(width='auto'), style=ProgressStyle(bar_color='black'))

      Count
0  32770222
   user_id       pc           timestamp event_type details
0  NGF0157  PC-6056 2010-01-02 06:49:00      Logon   Logon
1  LRR0148  PC-4275 2010-01-02 06:50:00      Logon   Logon
2  LRR0148  PC-4124 2010-01-02 06:53:04      Logon   Logon
3  IRM0931  PC-7188 2010-01-02 07:00:00      Logon   Logon
4  MOH0273  PC-6699 2010-01-02 07:00:00      Logon   Logon


#### Reviewing constructed tables

In [7]:
res = con.execute("show tables;").df()
for t in res["name"] : 
    s = con.execute(f"desc {t}").df()  
    print(f"table name : {t}\n{s}\n\n\n")  

table name : ldap_unified
        column_name column_type null   key default extra
0     employee_name     VARCHAR  YES  None    None  None
1           user_id     VARCHAR  YES  None    None  None
2             email     VARCHAR  YES  None    None  None
3              role     VARCHAR  YES  None    None  None
4     business_unit      BIGINT  YES  None    None  None
5   functional_unit     VARCHAR  YES  None    None  None
6        department     VARCHAR  YES  None    None  None
7              team     VARCHAR  YES  None    None  None
8        supervisor     VARCHAR  YES  None    None  None
9        start_date        DATE  YES  None    None  None
10         end_date        DATE  YES  None    None  None



table name : logs_unified
  column_name column_type null   key default extra
0     user_id     VARCHAR  YES  None    None  None
1          pc     VARCHAR  YES  None    None  None
2   timestamp   TIMESTAMP  YES  None    None  None
3  event_type     VARCHAR  YES  None    None  None
4     

#### Constructing and reviewing the final feature table (feature_table) from the 3 tables

In [3]:
res = con.execute("""
CREATE TABLE feature_table AS
SELECT
    (CAST(l.timestamp AS VARCHAR) || '_' || l.user_id) AS event_id,
    l.user_id,
    l.pc,
    l.timestamp,
    l.event_type,
    l.details,
    -- Add psychometric data (static per user)
    p.O, p.C, p.E, p.A, p.N,
    -- Add LDAP data (changes monthly)
    lu.role,
    lu.department,
    lu.supervisor
FROM
    logs_unified AS l
LEFT JOIN
    psychometric AS p ON l.user_id = p.user_id
LEFT JOIN
    ldap_unified AS lu ON l.user_id = lu.user_id
    -- This time-based join is the most critical part
    AND l.timestamp BETWEEN lu.start_date AND lu.end_date
-- This ensures the final data is a chronological story for each user
ORDER BY
    l.user_id, l.timestamp;
""").df()

print(res)

preview = con.execute("""
SELECT * FROM feature_table LIMIT 5
""").df() 

print(preview)

FloatProgress(value=0.0, layout=Layout(width='auto'), style=ProgressStyle(bar_color='black'))

      Count
0  32770222
                      event_id  user_id       pc           timestamp  \
0  2010-01-04 08:09:00_AAE0190  AAE0190  PC-8915 2010-01-04 08:09:00   
1  2010-01-04 08:10:50_AAE0190  AAE0190  PC-8915 2010-01-04 08:10:50   
2  2010-01-04 08:12:10_AAE0190  AAE0190  PC-8915 2010-01-04 08:12:10   
3  2010-01-04 08:14:04_AAE0190  AAE0190  PC-8915 2010-01-04 08:14:04   
4  2010-01-04 08:16:00_AAE0190  AAE0190  PC-8915 2010-01-04 08:16:00   

  event_type                                            details   O   C   E  \
0      Logon                                              Logon  36  30  14   
1       HTTP  http://megaupload.com/Malcolm_X/lumumba/oybttv...  36  30  14   
2       HTTP  http://megaclick.com/Albert_Prince_Consort/cur...  36  30  14   
3       HTTP  http://sfgate.com/Sweet_Track/westhay/guebhtuc...  36  30  14   
4       HTTP  http://sfgate.com/Sweet_Track/westhay/guebhtuc...  36  30  14   

    A   N     role      department        supervisor  
0  50  29  Ma

In [4]:
s = con.execute("desc feature_table;").df() 
print(s)

   column_name column_type null   key default extra
0     event_id     VARCHAR  YES  None    None  None
1      user_id     VARCHAR  YES  None    None  None
2           pc     VARCHAR  YES  None    None  None
3    timestamp   TIMESTAMP  YES  None    None  None
4   event_type     VARCHAR  YES  None    None  None
5      details     VARCHAR  YES  None    None  None
6            O      BIGINT  YES  None    None  None
7            C      BIGINT  YES  None    None  None
8            E      BIGINT  YES  None    None  None
9            A      BIGINT  YES  None    None  None
10           N      BIGINT  YES  None    None  None
11        role     VARCHAR  YES  None    None  None
12  department     VARCHAR  YES  None    None  None
13  supervisor     VARCHAR  YES  None    None  None


#### Copying (and reviewing) insiders table from original CERT r4.2 db to supervised_dataset db

In [2]:
res = con.execute("""
        CREATE TABLE insiders AS 
        SELECT * FROM raw_db.insiders;
    """).df() 

print(res)

   Count
0     70


In [5]:
preview = con.execute("select * from insiders LIMIT 5").df()
print(f"Preview :\n{preview}\n")  

struct = con.execute("desc insiders").df() 
print(f"structure :\n{struct}\n") 

Preview :
   dataset  scenario             details     user               start  \
0      4.2         1  r4.2-1-AAM0658.csv  AAM0658 2010-10-23 01:34:19   
1      4.2         1  r4.2-1-AJR0932.csv  AJR0932 2010-09-10 19:12:01   
2      4.2         1  r4.2-1-BDV0168.csv  BDV0168 2010-07-30 19:56:44   
3      4.2         1  r4.2-1-BIH0745.csv  BIH0745 2010-07-13 20:15:23   
4      4.2         1  r4.2-1-BLS0678.csv  BLS0678 2010-09-21 01:16:22   

                  end  
0 2010-10-29 05:23:28  
1 2010-09-18 02:02:51  
2 2010-08-10 05:16:41  
3 2010-07-13 21:20:44  
4 2010-09-30 04:48:19  

structure :
  column_name column_type null   key default extra
0     dataset      DOUBLE  YES  None    None  None
1    scenario      BIGINT  YES  None    None  None
2     details     VARCHAR  YES  None    None  None
3        user     VARCHAR  YES  None    None  None
4       start   TIMESTAMP  YES  None    None  None
5         end   TIMESTAMP  YES  None    None  None



#### Closing the db connection

In [5]:
con.close() 