# Project: Network Traffic Analysis & C2 Discovery (MySQL)

**Mission:** You are analyzing Netflow records to identify potential Command & Control (C2) activity. Threat actors often use "heartbeats"—periodic, consistent traffic—to maintain a connection to a compromised host.

**Core Learning Goals:**
1.  **MySQL Time-Series Retrieval:** Use SQL to pull traffic logs for specific hosts.
2.  **Frequency Detection:** Identify periodic patterns in timestamps.
3.  **Anomaly Detection:** Differentiate between standard user traffic and automated C2 heartbeats.
---

## Part 1: Connecting to the Netflow Database
Connect to MySQL and prepare to query the `network_flows` table.

In [None]:
import pandas as pd
from sqlalchemy import create_engine
import os
import matplotlib.pyplot as plt

# YOUR CODE HERE

## Part 2: Triage - High Volume Sources
Identify the source IP addresses that are generating the most traffic (by byte count and by request count).

**Task:** Write a SQL query to group by `src_ip` and count the requests and sum the `bytes`.

In [None]:
# YOUR CODE HERE

## Part 3: Heartbeat Identification
Focus on a single `src_ip` that seems suspicious. Calculate the time difference (delta) between consecutive requests.

**Task:** Use `pd.to_datetime()` on the `timestamp` column, then use `.diff()` to calculate the seconds between each request. A consistent delta (e.g., exactly 300 seconds every time) is a strong indicator of a C2 heartbeat.

In [None]:
# YOUR CODE HERE

## Part 4: Visualizing the Pattern
Plot the `timestamp` against the `bytes` for the suspicious IP. Standard user traffic is "bursty," while automated traffic is often very regular.

**Task:** Create a scatter or line plot showing the activity over time.

In [None]:
# YOUR CODE HERE

## Part 5: Threat Intel Writeback (MySQL)
Once an IP is confirmed as a C2 candidate, log it into a `threat_intel_blacklist` table in MySQL for your SOC team.

**Task:** Save the suspicious IP and its average heartbeat interval to the database.

In [None]:
# YOUR CODE HERE