In [19]:
# Primero, en la primera celda del notebook puedes instalar las bibliotecas necesarias (si aún no están instaladas):

!pip install pyspark kafka-python pandas matplotlib

from pyspark.sql import SparkSession
from pyspark.sql.functions import col, count, window, desc, lag, avg, stddev, min, max, sum, approx_count_distinct
from pyspark.sql.window import Window

import os
import csv
import random
import datetime



In [20]:


# Lista de posibles tipos de eventos con una distribución realista
event_types = [
    ('INFO', 0.6),  # 60% de logs informativos
    ('WARNING', 0.15),  # 15% de advertencias
    ('ERROR', 0.1),  # 10% de errores
    ('DEBUG', 0.1),  # 10% de depuración
    ('LOGIN_FAILURE', 0.05)  # 5% de intentos de acceso fallidos
]

# Lista de posibles usuarios y direcciones IPs
users = ['admin', 'user1', 'user2', 'guest', 'root', 'test']
ips = [
    '192.168.1.10', '192.168.1.15', '10.0.0.1', '172.16.0.2',
    '203.0.113.45', '8.8.8.8', '185.199.108.153'
]

# Función para elegir un tipo de evento basado en la distribución de probabilidad
def choose_event_type():
    return random.choices([e[0] for e in event_types], weights=[e[1] for e in event_types])[0]

# Función para generar un log aleatorio
def generate_log():
    timestamp = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    event_type = choose_event_type()
    user = random.choice(users)
    ip = random.choice(ips)
    
    if event_type == 'LOGIN_FAILURE':
        message = f"Intento de acceso fallido para usuario {user} desde {ip}"
    elif event_type == 'ERROR':
        message = f"Error critico en el sistema detectado por el usuario {user}"
    elif event_type == 'WARNING':
        message = f"Posible anomalia detectada desde la IP {ip}"
    elif event_type == 'DEBUG':
        message = f"Modo depuraciin activo por usuario {user}"
    else:  # INFO
        message = f"Evento normal registrado para usuario {user} desde {ip}"
    
    return [timestamp, event_type, user, ip, message]

# Función para generar múltiples logs y guardarlos en un archivo CSV
def generate_logs(file_path="logs/log.csv", num_logs=200):
    folder = os.path.dirname(file_path)
    if not os.path.exists(folder):
        os.makedirs(folder)
    
    with open(file_path, mode='w', newline='') as file:
        writer = csv.writer(file)
        writer.writerow(['timestamp', 'event_type', 'user', 'ip', 'message'])
        
        for _ in range(num_logs):
            writer.writerow(generate_log())

# Ejecutar la generación de logs
generate_logs("logs/log.csv")


In [21]:
# La siguiente celda es para configurar la sesión de Spark y verificar que todo esté listo:

from pyspark.sql import SparkSession

# Crea una sesión de Spark
spark = SparkSession.builder \
    .appName("SIEM with Spark in Jupyter") \
    .getOrCreate()

# Verifica que Spark está funcionando correctamente
print(spark.version)


3.5.4


In [22]:

def read_logs_from_csv(file_path="logs/log.csv"):
    df = spark.read.option("header", "true").csv(file_path)
    df.show(5)
    return df

df = read_logs_from_csv("logs/log.csv")


+-------------------+----------+-----+---------------+--------------------+
|          timestamp|event_type| user|             ip|             message|
+-------------------+----------+-----+---------------+--------------------+
|2025-04-02 18:50:45|     ERROR|admin|        8.8.8.8|Error critico en ...|
|2025-04-02 18:50:45|      INFO|guest|   192.168.1.10|Evento normal reg...|
+-------------------+----------+-----+---------------+--------------------+
only showing top 5 rows



In [23]:

# Conteo de eventos por tipo
def count_events(df):
    return df.groupBy("event_type").count().orderBy(desc("count"))

count_events(df).show()


+-------------+-----+
|   event_type|count|
+-------------+-----+
|         INFO|  112|
|        ERROR|   22|
|        DEBUG|   22|
|LOGIN_FAILURE|   14|
+-------------+-----+



In [24]:

# Conteo de eventos por usuario
def count_users(df):
    return df.groupBy("user").count().orderBy(desc("count"))

count_users(df).show()


+-----+-----+
| user|count|
+-----+-----+
|guest|   42|
| root|   39|
|user1|   39|
|user2|   31|
|admin|   31|
| test|   18|
+-----+-----+



In [25]:

# Detectar usuarios con alta cantidad de errores o fallos de login
def detect_anomalous_users(df):
    return df.filter((col("event_type") == "ERROR") | (col("event_type") == "LOGIN_FAILURE")) \
             .groupBy("user").count().orderBy(desc("count"))

detect_anomalous_users(df).show()


+-----+-----+
| user|count|
+-----+-----+
|admin|    8|
|guest|    8|
|user1|    7|
|user2|    6|
| root|    5|
| test|    2|
+-----+-----+



In [26]:

# Análisis de eventos en el tiempo
def analyze_time_distribution(df):
    df = df.withColumn("timestamp", col("timestamp").cast("timestamp"))
    return df.groupBy(window(col("timestamp"), "1 hour"), "event_type").count()

analyze_time_distribution(df).show()


+--------------------+-------------+-----+
|              window|   event_type|count|
+--------------------+-------------+-----+
|{2025-04-02 18:00...|        ERROR|   22|
|{2025-04-02 18:00...|        DEBUG|   22|
|{2025-04-02 18:00...|LOGIN_FAILURE|   14|
|{2025-04-02 18:00...|         INFO|  112|
+--------------------+-------------+-----+



In [27]:

# Detección de patrones de actividad sospechosa
def detect_suspicious_patterns(df):
    window_spec = Window.partitionBy("user").orderBy("timestamp")
    return df.withColumn("prev_event", lag("event_type").over(window_spec))

detect_suspicious_patterns(df).show()


+-------------------+-------------+-----+---------------+--------------------+-------------+
|          timestamp|   event_type| user|             ip|             message|   prev_event|
+-------------------+-------------+-----+---------------+--------------------+-------------+
|2025-04-02 18:50:45|         INFO|admin|       10.0.0.1|Evento normal reg...|        DEBUG|
|2025-04-02 18:50:45|        ERROR|admin|     172.16.0.2|Error critico en ...|         INFO|
|2025-04-02 18:50:45|         INFO|admin|        8.8.8.8|Evento normal reg...|        ERROR|
|2025-04-02 18:50:45|         INFO|admin|   192.168.1.15|Evento normal reg...|        DEBUG|
|2025-04-02 18:50:45|        ERROR|admin|   192.168.1.10|Error critico en ...|         INFO|
|2025-04-02 18:50:45|         INFO|admin|185.199.108.153|Evento normal reg...|         INFO|
|2025-04-02 18:50:45|         INFO|admin|     172.16.0.2|Evento normal reg...|         INFO|
|2025-04-02 18:50:45|         INFO|admin|   192.168.1.10|Evento normal

In [28]:

# Estadísticas por usuario
def user_statistics(df):
    user_events = df.groupBy("user").agg(count("event_type").alias("total_events"))
    return user_events.agg(
        avg("total_events").alias("avg_events"),
        stddev("total_events").alias("stddev_events"),
        min("total_events").alias("min_events"),
        max("total_events").alias("max_events")
    )

user_stats = user_statistics(df)
user_stats.show()


+------------------+-----------------+----------+----------+
|        avg_events|    stddev_events|min_events|max_events|
+------------------+-----------------+----------+----------+
|33.333333333333336|8.778762251403478|        18|        42|
+------------------+-----------------+----------+----------+



In [30]:

# Correlación entre intentos de login fallidos y errores
def correlate_failed_logins_errors(df):
    failed_logins = df.filter(col("event_type") == "LOGIN_FAILURE").alias("fl")
    df_alias = df.alias("df")
    
    return failed_logins.join(
        df_alias, 
        (col("fl.user") == col("df.user")) & (col("fl.timestamp") < col("df.timestamp")),
        "inner"
    ).filter(col("df.event_type") == "ERROR").select(
        col("fl.timestamp").alias("failed_login_time"),
        col("df.timestamp").alias("error_time"),
        col("fl.user"),
        col("df.event_type")
    )

correlate_failed_logins_errors(df).show()


+-----------------+----------+----+----------+
|failed_login_time|error_time|user|event_type|
+-----------------+----------+----+----------+
+-----------------+----------+----+----------+



In [31]:

# Detectar direcciones IP con múltiples intentos fallidos
def detect_dangerous_ips(df):
    return df.filter(col("event_type") == "LOGIN_FAILURE").groupBy("ip").count().orderBy(desc("count"))

detect_dangerous_ips(df).show()


+---------------+-----+
|             ip|count|
+---------------+-----+
|     172.16.0.2|    3|
|   192.168.1.15|    3|
|       10.0.0.1|    3|
|   203.0.113.45|    3|
|   192.168.1.10|    1|
|185.199.108.153|    1|
+---------------+-----+



In [33]:

# Identificar usuarios con actividad inusual
def detect_suspicious_users(user_stats):
    thresh = user_stats.select(avg("total_events")).collect()[0][0] * 2
    return user_stats.filter(col("total_events") > thresh)

detect_suspicious_users(user_stats).show()


AnalysisException: [UNRESOLVED_COLUMN.WITH_SUGGESTION] A column or function parameter with name `total_events` cannot be resolved. Did you mean one of the following? [`max_events`, `avg_events`, `min_events`, `stddev_events`].;
'Aggregate [unresolvedalias(avg('total_events), Some(org.apache.spark.sql.Column$$Lambda$2866/0x0000000101024428@708a37cc))]
+- Aggregate [avg(total_events#540L) AS avg_events#544, stddev(cast(total_events#540L as double)) AS stddev_events#545, min(total_events#540L) AS min_events#547L, max(total_events#540L) AS max_events#549L]
   +- Aggregate [user#363], [user#363, count(event_type#362) AS total_events#540L]
      +- Relation [timestamp#361,event_type#362,user#363,ip#364,message#365] csv


In [34]:

# Número estimado de usuarios únicos
def count_unique_users(df):
    return df.select(approx_count_distinct("user")).collect()[0][0]

print(f"Número estimado de usuarios únicos: {count_unique_users(df)}")


Número estimado de usuarios únicos: 6


In [35]:

# Análisis de actividad por IP
def analyze_ip_activity(df):
    return df.groupBy("ip").agg(count("event_type").alias("total_events")).orderBy(desc("total_events"))

analyze_ip_activity(df).show()


+---------------+------------+
|             ip|total_events|
+---------------+------------+
|     172.16.0.2|          35|
|   203.0.113.45|          33|
|   192.168.1.15|          32|
|185.199.108.153|          28|
|       10.0.0.1|          26|
|        8.8.8.8|          24|
|   192.168.1.10|          22|
+---------------+------------+



In [36]:

# Detección de ráfagas de intentos de acceso fallidos
def detect_potential_attacks(df):
    time_window = Window.partitionBy("user").orderBy("timestamp").rowsBetween(-5, 0)
    df = df.withColumn("recent_events", count("event_type").over(time_window))
    return df.filter((col("event_type") == "LOGIN_FAILURE") & (col("recent_events") > 3))

detect_potential_attacks(df).show()

+-------------------+-------------+-----+---------------+--------------------+-------------+
|          timestamp|   event_type| user|             ip|             message|recent_events|
+-------------------+-------------+-----+---------------+--------------------+-------------+
|2025-04-02 18:50:45|LOGIN_FAILURE|admin|     172.16.0.2|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE|admin|       10.0.0.1|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE|admin|       10.0.0.1|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE|guest|   203.0.113.45|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE|guest|     172.16.0.2|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE| root|   203.0.113.45|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE| root|   192.168.1.15|Intento de acceso...|            6|
|2025-04-02 18:50:45|LOGIN_FAILURE|user1|       10.0.0.1|Intento de ac