# Workflow

### Import -> Connect -> Get data

### Introduction:
1. 用get_exdata_by_id(flow_id)來取得特定flow_id中explanation的資料


2. 用get_exdata_pass_14_days()來獲取過去14天的資料


3. 用get_exdata_by_timerange(num_of_days)來取得過去特定天數(1-14天) explanation的資料 (p.s.需先跑完get_exdata_pass_14_days())


4. (舊功能)用 get_explanation_data_all()獲取elasticsearch中所有explanation的資料 (分為internet和intranet)

    
5. (舊功能，未改寫完) search_in_dataframe_by_id() 以dataframe格式取出特定id的table。
    For example : search_in_dataframe_by_id("B21120004")

# Import libraries

In [1]:
from elasticsearch import Elasticsearch
from elasticsearch import helpers
from elasticsearch_dsl import Search
from elasticsearch_dsl.query import MultiMatch
from elasticsearch_dsl import Q
from datetime import datetime
from datetime import timedelta
import pandas as pd
import json

# Connect to elasticsearch

In [2]:
def connect_ES():
    return Elasticsearch(hosts='192.168.70.102', port=9200,timeout=60)

# Get data

### New functions - Get explantion data by id

In [3]:
# This fuction deal with the combination of different names, values, descriptions, and return a list
def get_exdata(data):
    ex_list = []
    name = data["name"]
    value = data["value"]
    description = data["description"]
    for i,j,k in zip(name,value,description):
        ex_list.append(({'name':i,'value':j,'description':k}))
    return ex_list

In [4]:
# This function is used to get the explanation data of a specific id
def get_exdata_by_id(f_id):
    # Compose the index we need
    if f_id[0]=='B':
        index = f'ai-alert-internet-20{f_id[1:3]}-{f_id[3:5]}'
    elif f_id[0]=='J':
        index = f'ai-alert-intranet-20{f_id[1:3]}-{f_id[3:5]}'
    else:
        print("There are some errors, please try again!")
    # Start grabing data
    es = connect_ES() # connect to elasticsearch
    search = Search(using=es, index=index) \
            .query(Q("match",flow_id=f_id))
    response = search.execute() #Execute the query
    explanation = response.hits.hits[0]["_source"]["explanation"]
    results = get_exdata(explanation)
    return results

In [5]:
# This fuction is used to get the explanation data of a specific id, and return a dataframe
def get_exdata_by_id_df(f_id):
    ex_list = get_exdata_by_id(f_id)
    df = pd.DataFrame(ex_list)
    return df

### New functions - Get tracing back explanation data with specific time range

In [6]:
def convert_explanation(nvd):
    each_ex_list =[]
    name = nvd['name']
    value = nvd['value']
    description = nvd['description']
    for i,j,k in zip(name,value,description):
        each_ex_list.append({'name':i,'value':j,'description':k})
    return each_ex_list

In [7]:
def mk_timstamp(s):
    timestamp = datetime.strptime(s, "%Y-%m-%d")
    return timestamp

In [8]:
def get_exdata_by_timerange(num_of_days): 
    # num_of days should between 1~30 (if today is Feb 28, then the range must between 1-28, if Feb 29 ,then 1-29)
    
    # To specify the time range for choosing index
    now = datetime.today()
    now_strft = datetime.strftime(now,"%Y-%m-%d")
    now_strpt = datetime.strptime(now_strft,"%Y-%m-%d")
    before_strft = datetime.strftime(now-timedelta(num_of_days),"%Y-%m-%d")
    now_year = now_strft[2:4]
    before_year = before_strft[2:4]
    now_month = now_strft[5:7]
    before_month = before_strft[5:7]
    inter_index = "ai-alert-internet-20"
    intra_index = "ai-alert-intranet-20"
    if now_year==before_year and now_month==before_month: 
        # If the pass time and today are in the same year and same month
        index_list = [inter_index+f'{now_year}-{now_month}',intra_index+f'{now_year}-{now_month}']
    elif now_year==before_year and now_month!=before_month: 
        # If the pass time and today are in the same year but in different month
        index_list = [inter_index+f'{now_year}-{now_month}',inter_index+f'{now_year}-{before_month}', \
                      intra_index+f'{now_year}-{before_month}',intra_index+f'{now_year}-{before_month}']
    elif now_year!=before_year and now_month!=before_month:
        # If the pass time and today are in both differnent year and different month
        index_list = [inter_index+f'{now_year}-{now_month}',inter_index+f'{before_year}-{before_month}', \
                      intra_index+f'{now_year}-{now_month}',intra_index+f'{before_year}-{before_month}']                
    else:
        print("There are some errors, please try again!")
        
    # Start grabing data
    es = connect_ES() # connect to elasticsearch
    search = Search(using=es, index=index_list) \
            .filter("range", ingest_timestamp = {"gt":f"now-14d/d", "lt":"now"}) \
            .extra(from_=0, size=10000) # Default only grab 10 data
    response = search.execute() #Execute the query
    response_list = response.hits.hits
    # Transform those data to dataframe so that we can get the data we need quickly
    data_list = []
    for i in response_list:
        data_list.append(i["_source"].to_dict())
    ex_df = pd.DataFrame(data_list)
    df_clean = ex_df[['category','ingest_timestamp','explanation']]

In [9]:
# This fuction is used to get the data in pass 14 days
def get_exdata_pass_14_days():
    
    # To specify the time range for choosing index
    now = datetime.today()
    now_strft = datetime.strftime(now,"%Y-%m-%d")
    before_strft = datetime.strftime(now-timedelta(14),"%Y-%m-%d")
    now_year = now_strft[2:4]
    before_year = before_strft[2:4]
    now_month = now_strft[5:7]
    before_month = before_strft[5:7]
    inter_index = "ai-alert-internet-20"
    intra_index = "ai-alert-intranet-20"
    if now_year==before_year and now_month==before_month: 
        # If the pass time and today are in the same year and same month
        index_list = [inter_index+f'{now_year}-{now_month}',intra_index+f'{now_year}-{now_month}']
    elif now_year==before_year and now_month!=before_month: 
        # If the pass time and today are in the same year but in different month
        index_list = [inter_index+f'{now_year}-{now_month}',inter_index+f'{now_year}-{before_month}', \
                      intra_index+f'{now_year}-{before_month}',intra_index+f'{now_year}-{before_month}']
    elif now_year!=before_year and now_month!=before_month:
        # If the pass time and today are in both differnent year and different month
        index_list = [inter_index+f'{now_year}-{now_month}',inter_index+f'{before_year}-{before_month}', \
                      intra_index+f'{now_year}-{now_month}',intra_index+f'{before_year}-{before_month}']                
    else:
        print("There are some errors, please try again!")
        
    # Start grabing data
    es = connect_ES() # connect to elasticsearch
    search = Search(using=es, index=index_list) \
            .filter("range", ingest_timestamp = {"gt":f"now-14d/d", "lt":"now"}) \
            .extra(from_=0, size=10000) # Default only grab 10 data
    response = search.execute() #Execute the query
    response_list = response.hits.hits
    # Transform those data to dataframe so that we can get the data we need quickly
    data_list = []
    for i in response_list:
        data_list.append(i["_source"].to_dict())
    ex_df = pd.DataFrame(data_list)
    df_clean = ex_df[['category','ingest_timestamp','explanation']]
    return df_clean

In [10]:
def get_exdata_by_timerange(num_of_days):
    # num_of days should between 1~30 (if today is Feb 28, then the range must between 1-28, if Feb 29 ,then 1-29)
    now = datetime.today()
    now_strft = datetime.strftime(now,"%Y-%m-%d")
    now_strpt = datetime.strptime(now_strft,"%Y-%m-%d")
    df_clean = get_exdata_pass_14_days()
    # Grab the explanation data and then form a dictionary, using internet and intranet as two keys
    internet_list = []
    intranet_list = []
    df_clean['ingest_timestamp'] = df_clean['ingest_timestamp'].apply(lambda x : x[:10])
    df_clean['ingest_timestamp'] = df_clean['ingest_timestamp'].apply(mk_timstamp)
    df_clean = df_clean.loc[(df_clean['ingest_timestamp'])>=now_strpt-timedelta(num_of_days)] # time range
    df_clean['explanation'] = df_clean['explanation'].apply(convert_explanation)
    df_clean['category'] = df_clean['category'].apply(lambda x : x.lower())
    for inter in df_clean.loc[df_clean['category']=='internet'].explanation:
        internet_list+=inter
    for intra in df_clean.loc[df_clean['category']=='intranet'].explanation:
        intranet_list+=intra
    return {'internet': internet_list, 'intranet': intranet_list}

### Original get-all-data functions, which can grab all the data of internet and intranet

In [20]:
def get_explanation(in_list):
    explanation_list = []
    for index, value in enumerate(in_list): # iterate through an internet_list or intranat_list
        data_list = in_list[index]['hits']['hits'] # grab the data list we want, which is under the two hists
        for e_index, e_value in enumerate(data_list):
#             flow_id = data_list[e_index]['_source']['flow_id']
            flow_id = e_value['_source']['flow_id']
#             ex_data = data_list[e_index]['_source']['explanation']
            name = data_list[e_index]['_source']['explanation']['name']
            value = data_list[e_index]['_source']['explanation']['value']
            description = data_list[e_index]['_source']['explanation']['description']
            for i,j,k in zip(name,value,description):
                explanation_list.append((flow_id,{'name':i,'value':j,'description':k}))
#             explanation = (flow_id, explanation_list)
    return explanation_list

In [21]:
def get_explanation_data_all():
    es = connect_ES()
    index_list = [index for index in es.indices.get('*')]
    ex_index_list = [i for i in index_list if 'ai-alert-int' in i]
    internet_list = []
    intranet_list = []
    for i in ex_index_list:
        response = es.search(index=i)
        if i[9:17]=='internet':
            internet_list.append(response)
        elif i[9:17]=='intranet':
            intranet_list.append(response)
        else:
            print("error")
    internet = get_explanation(internet_list)
    intranet = get_explanation(intranet_list)
    final_data = {'internet':internet,'intranet':intranet}
    return final_data

In [43]:
def search_in_dataframe_by_id(f_id):
    data = get_explanation_data_all()
    df = pd.DataFrame(data=data).transpose()
#     df = df.set_index(["id"]) 
#     df['subindex'] = df.groupby(level=0).cumcount()
#     df.set_index('subindex', append=True)
    return df

# Test

#### New functions

In [23]:
get_exdata_by_id("J21120013")

[{'name': 'Fwd IAT MEAN',
  'value': '0.001',
  'description': 'High Dissimilarity'},
 {'name': 'Src Port', 'value': '0.001', 'description': 'High Dissimilarity'},
 {'name': 'Potocol', 'value': '0.02', 'description': 'Dissimilarity'}]

In [24]:
get_exdata_by_id_df("J21120013")

Unnamed: 0,name,value,description
0,Fwd IAT MEAN,0.001,High Dissimilarity
1,Src Port,0.001,High Dissimilarity
2,Potocol,0.02,Dissimilarity


In [25]:
get_exdata_pass_14_days()

Unnamed: 0,category,ingest_timestamp,explanation
0,Internet,2022-01-19T14:46:46.209710+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
1,Internet,2022-01-12T23:27:27.706083+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
2,Internet,2022-01-16T12:36:36.305226+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
3,Internet,2022-01-13T21:22:22.470444+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
4,Internet,2022-01-12T17:18:18.155679+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
...,...,...,...
88,Intranet,2022-01-18T21:10:00.000000+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
89,Intranet,2022-01-19T18:10:00.000000+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
90,Intranet,2022-01-18T06:10:00.000000+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."
91,Intranet,2022-01-19T15:10:00.000000+08:00,"{'name': ['Fwd IAT MEAN', 'Src Port', 'Potocol..."


In [26]:
get_exdata_by_timerange(7)

{'internet': [{'name': 'Fwd IAT MEAN',
   'value': '7426',
   'description': '90% of IAT<5000'},
  {'name': 'Src Port',
   'value': '8080',
   'description': 'Commonly used port: 8080, 8070, 8060'},
  {'name': 'Potocol', 'value': '17', 'description': 'UDP'},
  {'name': 'Fwd IAT MEAN', 'value': '7426', 'description': '90% of IAT<5000'},
  {'name': 'Src Port',
   'value': '8080',
   'description': 'Commonly used port: 8080, 8070, 8060'},
  {'name': 'Potocol', 'value': '17', 'description': 'UDP'},
  {'name': 'Fwd IAT MEAN', 'value': '7426', 'description': '90% of IAT<5000'},
  {'name': 'Src Port',
   'value': '8080',
   'description': 'Commonly used port: 8080, 8070, 8060'},
  {'name': 'Potocol', 'value': '17', 'description': 'UDP'},
  {'name': 'Fwd IAT MEAN', 'value': '7426', 'description': '90% of IAT<5000'},
  {'name': 'Src Port',
   'value': '8080',
   'description': 'Commonly used port: 8080, 8070, 8060'},
  {'name': 'Potocol', 'value': '17', 'description': 'UDP'},
  {'name': 'Fwd IA

In [30]:
test = get_exdata_by_timerange(3)
len(test['intranet'])/3

28.0

In [31]:
test1 = get_exdata_by_timerange(7)
len(test1['intranet'])/3

51.0

#### Original functions

In [27]:
get_explanation_data_all()

  This is separate from the ipykernel package so we can avoid doing imports until


{'internet': [('B21120001',
   {'name': 'Fwd IAT MEAN',
    'value': '7426',
    'description': '90% of IAT<5000'}),
  ('B21120001',
   {'name': 'Src Port',
    'value': '8080',
    'description': 'Commonly used port: 8080, 8070, 8060'}),
  ('B21120001', {'name': 'Potocol', 'value': '17', 'description': 'UDP'}),
  ('B21120004',
   {'name': 'Fwd IAT MEAN',
    'value': '7426',
    'description': '90% of IAT<5000'}),
  ('B21120004',
   {'name': 'Src Port',
    'value': '8080',
    'description': 'Commonly used port: 8080, 8070, 8060'}),
  ('B21120004', {'name': 'Potocol', 'value': '17', 'description': 'UDP'}),
  ('B21120005',
   {'name': 'Fwd IAT MEAN',
    'value': '7426',
    'description': '90% of IAT<5000'}),
  ('B21120005',
   {'name': 'Src Port',
    'value': '8080',
    'description': 'Commonly used port: 8080, 8070, 8060'}),
  ('B21120005', {'name': 'Potocol', 'value': '17', 'description': 'UDP'}),
  ('B21120006',
   {'name': 'Fwd IAT MEAN',
    'value': '7426',
    'description'

In [44]:
data = get_explanation_data_all()
search_in_dataframe_by_id("B21120004")

  This is separate from the ipykernel package so we can avoid doing imports until


Unnamed: 0,0,1,2,3,4,5,6,7,8,9,...,50,51,52,53,54,55,56,57,58,59
internet,"(B21120001, {'name': 'Fwd IAT MEAN', 'value': ...","(B21120001, {'name': 'Src Port', 'value': '808...","(B21120001, {'name': 'Potocol', 'value': '17',...","(B21120004, {'name': 'Fwd IAT MEAN', 'value': ...","(B21120004, {'name': 'Src Port', 'value': '808...","(B21120004, {'name': 'Potocol', 'value': '17',...","(B21120005, {'name': 'Fwd IAT MEAN', 'value': ...","(B21120005, {'name': 'Src Port', 'value': '808...","(B21120005, {'name': 'Potocol', 'value': '17',...","(B21120006, {'name': 'Fwd IAT MEAN', 'value': ...",...,"(B22010008, {'name': 'Potocol', 'value': '17',...","(B22010009, {'name': 'Fwd IAT MEAN', 'value': ...","(B22010009, {'name': 'Src Port', 'value': '808...","(B22010009, {'name': 'Potocol', 'value': '17',...","(B2201000b, {'name': 'Fwd IAT MEAN', 'value': ...","(B2201000b, {'name': 'Src Port', 'value': '808...","(B2201000b, {'name': 'Potocol', 'value': '17',...","(B2201000c, {'name': 'Fwd IAT MEAN', 'value': ...","(B2201000c, {'name': 'Src Port', 'value': '808...","(B2201000c, {'name': 'Potocol', 'value': '17',..."
intranet,"(J21120001, {'name': 'Fwd IAT MEAN', 'value': ...","(J21120001, {'name': 'Src Port', 'value': '0.0...","(J21120001, {'name': 'Potocol', 'value': '0.02...","(J21120002, {'name': 'Fwd IAT MEAN', 'value': ...","(J21120002, {'name': 'Src Port', 'value': '0.0...","(J21120002, {'name': 'Potocol', 'value': '0.02...","(J21120003, {'name': 'Fwd IAT MEAN', 'value': ...","(J21120003, {'name': 'Src Port', 'value': '0.0...","(J21120003, {'name': 'Potocol', 'value': '0.02...","(J21120004, {'name': 'Fwd IAT MEAN', 'value': ...",...,"(J22010007, {'name': 'Potocol', 'value': '0.02...","(J22010008, {'name': 'Fwd IAT MEAN', 'value': ...","(J22010008, {'name': 'Src Port', 'value': '0.0...","(J22010008, {'name': 'Potocol', 'value': '0.02...","(J22010009, {'name': 'Fwd IAT MEAN', 'value': ...","(J22010009, {'name': 'Src Port', 'value': '0.0...","(J22010009, {'name': 'Potocol', 'value': '0.02...","(J2201000a, {'name': 'Fwd IAT MEAN', 'value': ...","(J2201000a, {'name': 'Src Port', 'value': '0.0...","(J2201000a, {'name': 'Potocol', 'value': '0.02..."
