# Trouver l'elfe malveillant

Ce notebook t'accompagne pour enqu√™ter dans la base SQLite **`elf_challenge.db`**.
Ton objectif : **identifier l'elfe malveillant**, d√©montrer la preuve avec **au moins 2 requ√™tes** et proposer **1 mesure corrective**.

**Tables** : `person`, `gift`, `transactions`, `access_log`.

---
**Conseil** : travaille par hypoth√®ses, note tes trouvailles, et corr√®le les logs d'acc√®s avec les transactions autour d'horaires atypiques.


## 1) Pr√©paration de l'environnement

- On va utiliser `sqlite3` et `pandas`.
- La cellule ci-dessous **v√©rifie** que la base `elf_challenge.db` existe.


In [None]:
import os, sqlite3, random
from datetime import datetime, timedelta
import pandas as pd

DB_PATH = "elf_challenge.db"

def ensure_db(db_path: str):
    if os.path.exists(db_path):
        print("‚úî Base SQLite trouv√©e :", db_path)
        return
    
    print("‚ö† Base absente...", db_path)
   
ensure_db(DB_PATH)

## 2) Connexion & aper√ßu du sch√©ma

In [None]:
import sqlite3, pandas as pd
conn = sqlite3.connect(DB_PATH)

# Compter les lignes par table
q = (
    "SELECT 'person' as table_name, COUNT(*) as count FROM person "
    "UNION ALL SELECT 'gift', COUNT(*) FROM gift "
    "UNION ALL SELECT 'transactions', COUNT(*) FROM transactions "
    "UNION ALL SELECT 'access_log', COUNT(*) FROM access_log;"
)
pd.read_sql_query(q, conn)

In [None]:
# Aper√ßu des colonnes de chaque table (pragma)
tables = ['person','gift','transactions','access_log']
for t in tables:
    df = pd.read_sql_query(f"PRAGMA table_info({t});", conn)
    print(f"\n-- {t} --")
    display(df)

## 3) √âchauffement ‚Äî requ√™tes simples

1. **Lister** les personnes avec leur r√¥le.  
2. **Compter** combien de cadeaux par statut (`status`).  
3. **Top** 10 transactions les plus r√©centes (avec nom de l'acteur).  


In [None]:
# 1) Personnes / r√¥les
pd.read_sql_query("""
SELECT person_id, full_name, role
FROM person
ORDER BY role, full_name;
""", conn)

In [None]:
# 2) Cadeaux par statut
pd.read_sql_query("""
SELECT status, COUNT(*) as nb
FROM gift
GROUP BY status
ORDER BY nb DESC;
""", conn)

In [None]:
# 3) Top 10 transactions r√©centes
pd.read_sql_query("""
SELECT t.tx_id, t.gift_id, p.full_name AS actor, t.action, t.details, t.tx_ts
FROM transactions t
JOIN person p ON p.person_id = t.actor_id
ORDER BY t.tx_ts DESC
LIMIT 10;
""", conn)

## 4) Investigation ‚Äî pistes guid√©es

### 4.1 Actions nocturnes (00:00‚Äì05:00)
- Qui agit la nuit ?
- Y a‚Äët‚Äëil des **elfes** dans la liste ?


In [None]:
pd.read_sql_query("""
SELECT p.person_id, p.full_name, a.ts, a.action
FROM access_log a
JOIN person p ON p.person_id = a.person_id
WHERE time(a.ts) BETWEEN '00:00:00' AND '05:00:00'
ORDER BY a.ts;
""", conn)

### 4.2 Transactions suspectes (emoji üßù, 'missing')
- Chercher des **indices textuels**.


In [None]:
pd.read_sql_query("""
SELECT t.tx_id, t.gift_id, t.actor_id, p.full_name, t.action, t.details, t.tx_ts
FROM transactions t
JOIN person p ON p.person_id = t.actor_id
WHERE t.details LIKE '%üßù%' OR t.details LIKE '%missing%'
ORDER BY t.tx_ts DESC;
""", conn)

### 4.3 IPs & devices partag√©s
- Plusieurs comptes depuis la **m√™me IP / device** ?


In [None]:
pd.read_sql_query("""
SELECT ip_addr, device, COUNT(DISTINCT person_id) as nb_accounts,
       GROUP_CONCAT(DISTINCT person_id) as person_ids
FROM access_log
GROUP BY ip_addr, device
HAVING nb_accounts > 1
ORDER BY nb_accounts DESC;
""", conn)

### 4.4 Corr√©lation `transactions` ‚Üî `access_log` (¬± 2 minutes)
- Valider qu'une action a eu lieu **pendant une session** donn√©e.


In [None]:
pd.read_sql_query("""
SELECT t.tx_id, t.gift_id, t.actor_id, p.full_name as actor, t.details, t.tx_ts,
       a.log_id, a.person_id, a.ip_addr, a.device, a.location, a.action as access_action, a.ts as access_ts
FROM transactions t
JOIN person p ON p.person_id = t.actor_id
LEFT JOIN access_log a
  ON a.person_id = t.actor_id
 AND ABS(strftime('%s', t.tx_ts) - strftime('%s', a.ts)) <= 120
WHERE t.details LIKE '%missing%'
ORDER BY t.tx_ts DESC
LIMIT 50;
""", conn)

## 5) Ton enqu√™te ‚Äî espace de travail

Utilise les cellules ci‚Äëdessous pour :  
- Formuler tes hypoth√®ses
- Tester tes requ√™tes
- Consolider la **preuve** (au moins 2 requ√™tes pertinentes)


In [None]:
# Preuve 1 ‚Äî Toutes les transactions "missing üßù" / "secret shelf üßù" et leur auteur
preuve1 = pd.read_sql_query("""
SELECT
  t.tx_id, t.gift_id,
  p.person_id, p.full_name, p.role,
  t.action, t.details, t.tx_ts
FROM transactions t
JOIN person p ON p.person_id = t.actor_id
WHERE t.details LIKE '%üßù%'   -- marqueur tr√®s sp√©cifique
   OR t.details LIKE '%secret shelf%'
ORDER BY t.tx_ts ASC;
""", conn)

preuve1

In [None]:
# Preuve 2 ‚Äî Corr√©lation transactions suspectes ‚Üî sessions d'acc√®s (¬±2 minutes)
preuve2 = pd.read_sql_query("""
SELECT
  t.tx_id, t.gift_id,
  p.person_id, p.full_name, p.role,
  t.action AS tx_action, t.details AS tx_details, t.tx_ts,
  a.log_id, a.ts AS access_ts, a.action AS access_action,
  a.ip_addr, a.device, a.location, a.success
FROM transactions t
JOIN person p ON p.person_id = t.actor_id
LEFT JOIN access_log a
  ON a.person_id = t.actor_id
 AND ABS(strftime('%s', t.tx_ts) - strftime('%s', a.ts)) <= 120
WHERE (t.details LIKE '%üßù%' OR t.details LIKE '%secret shelf%')
ORDER BY t.tx_ts ASC;
""", conn)

preuve2

## 6) Conclusion ‚Äî Rapport court

- **Elfe malveillant identifi√©** : `person_id = 15`, `full_name = Merry G. Night`
- **Preuve 1 (requ√™te + interpr√©tation)** :
    - Requ√™te : filtre des transactions contenant **üßù** et/ou **‚Äúsecret shelf‚Äù** (`preuve1`).
    - Interpr√©tation : toutes les op√©rations ‚Äúmarked missing üßù‚Äù et ‚Äúmoved to secret shelf üßù‚Äù sont attribu√©es √† **Merry G. Night (elf)**, souvent √† des horaires **01:38‚Äì03:05** (nuit).
- **Preuve 2 (requ√™te + interpr√©tation)** :
    - Requ√™te : jointure `transactions` ‚Üî `access_log` (¬± 2 minutes) (`preuve2`).
    - Interpr√©tation : ces transactions correspondent √† des sessions **edit_gift** r√©ussies, localis√©es **warehouse**, depuis **10.0.0.45 / raspberry-pi-3**, au m√™me moment : on a donc la **trace d‚Äôacc√®s + l‚Äôaction m√©tier**, corr√©l√©es temporellement.
- **Mesure corrective (1)** :
    - Mettre en place une **r√®gle de contr√¥le** : toute action `change_status -> missing` ou `transfer` vers une zone non standard (ex. ‚Äúsecret shelf‚Äù) n√©cessite une **double validation (4-eyes)** et/ou est **bloqu√©e entre 00:00 et 05:00** sauf compte admin + justification (audit log obligatoire).