# Project: Expert SIEM Threat Hunting & Adversarial Correlation

**Mission:** A Tier-3 SOC investigation. A threat actor has established persistence and is now performing internal reconnaissance. They are using "Living off the Land" (LotL) techniques to blend in with administrative activity.

**Objective:** Use advanced SQL window functions, multi-log correlation, and session analysis to reconstruct the attack timeline.

---

## PHASE 1: Data Ingestion & Schema Review
**Context:** Our SIEM (MySQL) aggregates logs from three sources: 
1. `auth_logs`: Login/Logout events (Success/Failure).
2. `process_logs`: Command execution (Process Name, Parent Process, Arguments).
3. `net_logs`: Internal and external connections (Source, Dest, Port).

**Task:** Establish the SQLAlchemy connection and verify the record count for the last 24 hours.

In [None]:
import pandas as pd
from sqlalchemy import create_engine
import os
import matplotlib.pyplot as plt
import seaborn as sns

# Connection Setup
user = os.getenv('DB_USER')
pw = os.getenv('DB_PASS')
db = "security_lab"
engine = create_engine(f"mysql+pymysql://{user}:{pw}@localhost/{db}")

## PHASE 2: Hunting "Living off the Land" (LotL)
**The Logic:** Attackers often use `powershell.exe` or `wmic.exe`. However, simple keyword matching (e.g., `-EncodedCommand`) is easily evaded. 

**Expert Task:** Use SQL to find processes where the **Parent Process** is suspicious (e.g., `cmd.exe` spawning from `outlook.exe` or `winword.exe`). This is a high-fidelity indicator of successful phishing exploitation.

In [None]:
query = """
SELECT timestamp, process_name, parent_process, arguments, user
FROM process_logs
WHERE (parent_process IN ('outlook.exe', 'winword.exe', 'excel.exe', 'powerpnt.exe'))
AND (process_name IN ('cmd.exe', 'powershell.exe', 'wscript.exe'))
ORDER BY timestamp DESC;
"""
# YOUR CODE HERE

## PHASE 3: Multi-Stage Correlation (The Kill Chain)
**The Logic:** Lateral movement isn't just one log; it's a sequence: 
`Successful Login` -> `New Process Created` -> `Outbound Internal Connection`.

**Expert Task:** Perform a complex 3-way JOIN or use a Common Table Expression (CTE) to find instances where a user logged in, and within 60 seconds, executed a process that initiated a network connection to a NEW internal host.

In [None]:
query = """
WITH UserSessions AS (
    SELECT user, source_ip, timestamp as login_time
    FROM auth_logs
    WHERE status = 'SUCCESS'
)
SELECT s.user, s.source_ip, p.process_name, n.dest_ip, n.timestamp as connection_time
FROM UserSessions s
JOIN process_logs p ON s.user = p.user 
    AND p.timestamp BETWEEN s.login_time AND DATE_ADD(s.login_time, INTERVAL 1 MINUTE)
JOIN net_logs n ON p.user = n.user 
    AND n.timestamp BETWEEN p.timestamp AND DATE_ADD(p.timestamp, INTERVAL 1 MINUTE)
WHERE n.dest_ip != s.source_ip
"""
# YOUR CODE HERE

## PHASE 4: Hunting "Log Gaps" (Anti-Forensics)
**The Logic:** Sophisticated actors clear logs or disable services. We detect this by looking for "Gaps" in the `timestamp` sequence that exceed our expected heartbeat interval.

**Expert Task:** Use the `LAG()` window function to calculate the time difference between consecutive log entries per host. Identify gaps larger than 30 minutes where no logs were recorded.

In [None]:
query = """
SELECT host, timestamp, 
       LAG(timestamp) OVER (PARTITION BY host ORDER BY timestamp) as prev_log,
       TIMESTAMPDIFF(MINUTE, LAG(timestamp) OVER (PARTITION BY host ORDER BY timestamp), timestamp) as gap_minutes
FROM process_logs
HAVING gap_minutes > 30;
"""
# YOUR CODE HERE

## PHASE 5: Behavioral Anomaly Detection
**Expert Task:** Calculate the "Entropy" of command arguments. Automated/Obfuscated commands (like Base64 encoded strings) have higher character entropy than standard administrative commands.

**Task:** Write a Python function to calculate Shannon Entropy for the `arguments` column and plot the distribution. Flag outliers for manual review.

In [None]:
import math
def calculate_entropy(text):
    if not text: return 0
    prob = [ float(text.count(c)) / len(text) for c in dict.fromkeys(list(text)) ]
    entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ])
    return entropy

# YOUR CODE HERE

## PHASE 6: Executive Incident Timeline
**Task:** Create a multi-axis plot showing Authentication Failures vs. Successful Command Executions. Identify the "Pivot Point" where the attacker successfully gained access and began their mission.

In [None]:
# YOUR CODE HERE