In [None]:
import pandas as pd
import json

import warnings
warnings.filterwarnings('ignore')

# Read the Excel file
file_path = '/content/02April (1).xlsx'  # Replace with your file path
df = pd.read_excel(file_path)

# Define the threat combinations
threat_events = [
    {'eventName': 'UpdateFunctionConfiguration', 'eventSource': 'lambda.amazonaws.com'},
    {'eventName': 'StopLogging'},
    {'eventName': 'UpdateTrail'},
    {'eventName': 'DeleteTrail'},
    {'eventName': 'DeleteDeliveryChannel'},
    {'eventName': 'StopConfigurationRecorder'},
    {'eventName': 'GetSigninToken'},
    {'eventName': 'DeleteIdentity', 'eventSource': 'ses.amazonaws.com'},
    {'eventName': 'PutBucketVersioning', 'requestParameters': 'Suspended'},
    {'eventName': 'DisableEbsEncryptionByDefault', 'eventSource': 'ec2.amazonaws.com'},
    {'eventName': 'ModifyInstanceAttribute', 'eventSource': 'ec2.amazonaws.com', 'requestParameters.attribute': 'userData'},
    {'eventName': 'CreateInstanceExportTask', 'errorMessage': '*', 'responseElements': 'Failure', 'eventSource': 'ec2.amazonaws.com'},
    {'eventName': 'DescribeTaskDefinition', 'eventSource': 'ecs.amazonaws.com', 'requestParameters.containerDefinitions.command': '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'},
    {'eventName': 'DeleteFileSystem', 'eventSource': 'elasticfilesystem.amazonaws.com'},
    {'eventName': 'DeleteMountTarget', 'eventSource': 'elasticfilesystem.amazonaws.com'},
    {'eventName': 'CreateCluster', 'eventSource': 'eks.amazonaws.com'},
    {'eventName': 'DeleteCluster', 'eventSource': 'eks.amazonaws.com'},
    {'eventName': 'DeleteCacheSecurityGroup', 'eventSource': 'elasticache.amazonaws.com'},
    {'eventName': 'AuthorizeCacheSecurityGroupIngress', 'eventSource': 'elasticache.amazonaws.com'},
    {'eventName': 'RevokeCacheSecurityGroupIngress', 'eventSource': 'elasticache.amazonaws.com'},
    {'eventName': 'AuthorizeCacheSecurityGroupEgress', 'eventSource': 'elasticache.amazonaws.com'},
    {'eventName': 'RevokeCacheSecurityGroupEgress', 'eventSource': 'elasticache.amazonaws.com'},
    {'eventName': 'ListBuckets', 'userIdentity.type': 'AssumedRole'},
    {'eventName': 'CreateIPSet', 'eventSource': 'guardduty.amazonaws.com'},
    {'eventName': 'CreateAccessKey', 'eventSource': 'iam.amazonaws.com'},
    {'eventName': 'GetLoginProfile'},
    {'eventName': 'CreateLoginProfile'},
    {'eventName': 'PutUserPolicy', 'userAgent': 'S3 Browser', 'requestParameters': 'Allow'},
    {'eventName': 'CreateUser', 'userAgent': 'S3 Browser'},
    {'eventName': 'CreateAccessKey', 'userAgent': 'S3 Browser'},
    {'eventName': 'CreateDevEndpoint', 'eventSource': 'glue.amazonaws.com'},
    {'eventName': 'DeleteDevEndpoint', 'eventSource': 'glue.amazonaws.com'},
    {'eventName': 'UpdateDevEndpoint', 'eventSource': 'glue.amazonaws.com'},
    {'eventName': 'ModifyDBInstance', 'eventSource': 'rds.amazonaws.com', 'responseElements.pendingModifiedValues.masterUserPassword': '*'},
    {'eventName': 'RestoreDBInstanceFromDBSnapshot', 'eventSource': 'rds.amazonaws.com', 'responseElements.publiclyAccessible': True},
    {'eventName': 'DisableDomainTransferLock', 'eventSource': 'route53.amazonaws.com'},
    {'eventName': 'TransferDomainToAnotherAwsAccount', 'eventSource': 'route53.amazonaws.com'},
    {'eventName': 'PutBucketLogging', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'PutBucketWebsite', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'PutEncryptionConfiguration', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'PutLifecycleConfiguration', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'PutReplicationConfiguration', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'ReplicateObject', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'RestoreObject', 'eventSource': 's3.amazonaws.com'},
    {'eventName': 'BatchUpdateFindings'},
    {'eventName': 'DeleteInsight'},
    {'eventName': 'UpdateFindings'},
    {'eventName': 'UpdateInsight'},
    {'eventName': 'ModifySnapshotAttribute', 'eventSource': 'ec2.amazonaws.com'},
    {'eventName': 'AssociateDirectory', 'eventSource': 'sso-directory.amazonaws.com'},
    {'eventName': 'DisableExternalIdPConfigurationForDirectory', 'eventSource': 'sso-directory.amazonaws.com'},
    {'eventName': 'DisassociateDirectory', 'eventSource': 'sso-directory.amazonaws.com'},
    {'eventName': 'EnableExternalIdPConfigurationForDirectory', 'eventSource': 'sso-directory.amazonaws.com'},
    {'userIdentity.type': 'AssumedRole', 'userIdentity.sessionContext.sessionIssuer.type': 'Role'},
    {'eventName': 'GetSessionToken', 'eventSource': 'sts.amazonaws.com', 'userIdentity.type': 'IAMUser'},
    {'eventName': 'UpdateSAMLProvider', 'eventSource': 'iam.amazonaws.com'},
    {'eventName': 'UpdateLoginProfile', 'eventSource': 'iam.amazonaws.com'}
]


event_mapping = {
    'UpdateFunctionConfiguration': ('AWS Attached Malicious Lambda Layer', 'medium'),
    'StopLogging': ('AWS CloudTrail Disable Logging', 'medium'),
    'UpdateTrail': ('AWS CloudTrail Disable Logging', 'medium'),
    'DeleteTrail': ('AWS CloudTrail Disable Logging', 'medium'),
    'DeleteDeliveryChannel': ('AWS Config Disable Recording', 'high'),
    'StopConfigurationRecorder': ('AWS Config Disable Recording', 'high'),
    'GetSigninToken': ('AWS Console Get Signin Token', 'medium'),
    'DeleteIdentity': ('AWS Delete Identity', 'medium'),
    'PutBucketVersioning': ('AWS Disable Bucket Versioning', 'medium'),
    'DisableEbsEncryptionByDefault': ('AWS EC2 Disable Encryption', 'medium'),
    'ModifyInstanceAttribute': ('AWS EC2 Startup Script Change', 'high'),
    'CreateInstanceExportTask': ('AWS EC2 VM Export Failure', 'low'),
    'DescribeTaskDefinition': ('AWS ECS Task Definition Cred Endpoint Query', 'medium'),
    'RegisterTaskDefinition': ('AWS ECS Task Definition Cred Endpoint Query', 'medium'),
    'RunTask': ('AWS ECS Task Definition Cred Endpoint Query', 'medium'),
    'DeleteFileSystem': ('AWS EFS Fileshare Modified or Deleted', 'medium'),
    'DeleteMountTarget': ('AWS EFS Fileshare Mount Modified or Deleted', 'medium'),
    'CreateCluster': ('AWS EKS Cluster Created or Deleted', 'low'),
    'DeleteCluster': ('AWS EKS Cluster Created or Deleted', 'low'),
    'DeleteCacheSecurityGroup': ('AWS Elasticache Security Group Modified or Deleted', 'low'),
    'AuthorizeCacheSecurityGroupIngress': ('AWS Elasticache Security Group Modified or Deleted', 'low'),
    'RevokeCacheSecurityGroupIngress': ('AWS Elasticache Security Group Modified or Deleted', 'low'),
    'AuthorizeCacheSecurityGroupEgress': ('AWS Elasticache Security Group Modified or Deleted', 'low'),
    'RevokeCacheSecurityGroupEgress': ('AWS Elasticache Security Group Modified or Deleted', 'low'),
    'ListBuckets': ('AWS Enum Buckets', 'low'),
    'CreateIPSet': ('AWS GuardDuty Disruption', 'high'),
    'CreateAccessKey': ('AWS IAM Backdoor Users Keys', 'medium'),
    'GetLoginProfile': ('AWS IAM S3Browser Login Profile Creation', 'high'),
    'CreateLoginProfile': ('AWS IAM S3Browser Login Profile Creation', 'high'),
    'PutUserPolicy': ('AWS IAM S3Browser Templated S3 Bucket Policy Creation', 'high'),
    'CreateUser': ('AWS IAM S3Browser User or AccessKey Creation', 'high'),
    'CreateDevEndpoint': ('AWS Passed Role to Glue Development Endpoint', 'low'),
    'DeleteDevEndpoint': ('AWS Passed Role to Glue Development Endpoint', 'low'),
    'UpdateDevEndpoint': ('AWS Passed Role to Glue Development Endpoint', 'low'),
    'ModifyDBInstance': ('AWS RDS Change Master Password', 'medium'),
    'RestoreDBInstanceFromDBSnapshot': ('AWS RDS Public DB Restore', 'high'),
    'DisableDomainTransferLock': ('AWS Route 53 Domain Transferred Lock Disabled', 'low'),
    'TransferDomainToAnotherAwsAccount': ('AWS Route 53 Domain Transferred to Another Account', 'low'),
    'PutBucketLogging': ('AWS S3 Data Management Tampering', 'low'),
    'PutBucketWebsite': ('AWS S3 Data Management Tampering', 'low'),
    'PutEncryptionConfiguration': ('AWS S3 Data Management Tampering', 'low'),
    'PutLifecycleConfiguration': ('AWS S3 Data Management Tampering', 'low'),
    'PutReplicationConfiguration': ('AWS S3 Data Management Tampering', 'low'),
    'ReplicateObject': ('AWS S3 Data Management Tampering', 'low'),
    'RestoreObject': ('AWS S3 Data Management Tampering', 'low'),
    'BatchUpdateFindings': ('AWS SecurityHub Finding Evasion', 'high'),
    'DeleteInsight': ('AWS SecurityHub Finding Evasion', 'high'),
    'UpdateFindings': ('AWS SecurityHub Finding Evasion', 'high'),
    'UpdateInsight': ('AWS SecurityHub Finding Evasion', 'high'),
    'ModifySnapshotAttribute': ('AWS Snapshot Backup Exfiltration', 'medium'),
    'AssociateDirectory': ('AWS SSO IDP Change', 'high'),
    'DisableExternalIdPConfigurationForDirectory': ('AWS SSO IDP Change', 'high'),
    'DisassociateDirectory': ('AWS SSO IDP Change', 'high'),
    'EnableExternalIdPConfigurationForDirectory': ('AWS SSO IDP Change', 'high'),
    'GetSessionToken': ('AWS STS GetSessionToken Misuse', 'low'),
    'UpdateSAMLProvider': ('AWS Suspicious SAML Activity', 'medium'),
    'UpdateLoginProfile': ('AWS Update Login Profile', 'high')
}


# Create an empty DataFrame to store threat logs
threatlogs = pd.DataFrame()

# Function to check if a row matches all conditions in an event
def match_event(row, event):
    for key, value in event.items():
        if '.' in key:
            # Handle nested keys
            parts = key.split('.')
            row_value = row
            for part in parts:
                if isinstance(row_value, str):
                    try:
                        row_value = json.loads(row_value)
                    except json.JSONDecodeError:
                        return False
                if isinstance(row_value, dict):
                    row_value = row_value.get(part)
                else:
                    # If row_value is not a dict (e.g., it's a float), we can't proceed
                    return False
                if row_value is None:
                    return False
        else:
            row_value = row.get(key)

        if isinstance(value, bool):
            if row_value != value:
                return False
        elif value == '*':
            if row_value is None or row_value == '':
                return False
        elif isinstance(value, str) and value.startswith('$'):
            # Handle special case for string starting with $
            if not isinstance(row_value, str) or value not in row_value:
                return False
        elif row_value != value:
            return False
    return True

# Check for threat events in the logs
for event in threat_events:
    detected_threats = df[df.apply(lambda row: match_event(row, event), axis=1)]
    if not detected_threats.empty:
        threatlogs = pd.concat([threatlogs, detected_threats])

# Add new columns to threatlogs
threatlogs['is_threat'] = 1
threatlogs['use_case'] = threatlogs['eventName'].map(lambda x: event_mapping.get(x, ('Unknown', 'low'))[0])
threatlogs['level'] = threatlogs['eventName'].map(lambda x: event_mapping.get(x, ('Unknown', 'low'))[1])

# Select and reorder columns
columns_to_print = [
    'eventName', 'eventTime', 'userIdentity.arn','userIdentity.type', 'sourceIPAddress', 'awsRegion',
    'is_threat', 'use_case', 'level',
]

# Sort the DataFrame by eventTime
result = threatlogs.sort_values('eventTime')

# Reset index and add it as the first column
result = result.reset_index(drop=True)
result.index += 1  # Start index from 1 instead of 0
result.index.name = 'id'

# Select only the specified columns
result = result[columns_to_print].copy()

# Reset index to make 'id' a column
result = result.reset_index()

result[:15]



Unnamed: 0,id,eventName,eventTime,userIdentity.arn,userIdentity.type,sourceIPAddress,awsRegion,is_threat,use_case,level
0,1,UpdateTrail,2024-04-02T05:24:03Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS CloudTrail Disable Logging,medium
1,2,StopLogging,2024-04-02T05:24:05Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS CloudTrail Disable Logging,medium
2,3,DeleteDeliveryChannel,2024-04-02T05:24:07Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS Config Disable Recording,high
3,4,DeleteFileSystem,2024-04-02T05:24:07Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS EFS Fileshare Modified or Deleted,medium
4,5,DeleteTrail,2024-04-02T05:24:08Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS CloudTrail Disable Logging,medium
5,6,StopConfigurationRecorder,2024-04-02T05:24:08Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS Config Disable Recording,high
6,7,StopConfigurationRecorder,2024-04-02T05:24:09Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS Config Disable Recording,high
7,8,GetSigninToken,2024-04-02T05:24:09Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS Console Get Signin Token,medium
8,9,DeleteMountTarget,2024-04-02T05:24:10Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS EFS Fileshare Mount Modified or Deleted,medium
9,10,CreateCluster,2024-04-02T05:24:20Z,arn:aws:iam::671199506904:user/nicferns,IAMUser,70.180.20.230,us-east-1,1,AWS EKS Cluster Created or Deleted,low


In [None]:
result.shape

(59, 10)

In [None]:
!pip install langchain_google_genai langchain google



In [None]:
from langchain_core.messages import HumanMessage
from langchain_google_genai import ChatGoogleGenerativeAI
from google.generativeai.types import HarmCategory, HarmBlockThreshold

llm = ChatGoogleGenerativeAI(model="gemini-pro",google_api_key="AIzaSyB3p0pYwUY7sIa390RQh0XVlLAKhv-Lj9E",
                                    temperature=0.7)

for index, row in result.iterrows():
    value = row.to_string()

    # Assuming llm.invoke() expects messages of type 'user'
    messages = " why this row is a suspicious explain me with correct info and creativity " + value

    # Create a message in the expected format
    gen_message = {
        "type": "user",  # Specify the type expected by llm.invoke()
        "content": messages
    }

    # Invoke your chat model with the message
    resp = llm.invoke([gen_message])

    print(resp.content)
    print("\n***",index,"***\n")
    print("__________________________")

This row is suspicious because it shows an attempt to disable AWS CloudTrail logging. CloudTrail is a service that records API calls made to AWS services. Disabling CloudTrail logging would make it more difficult to detect and investigate security incidents.

The following information is suspicious:

* **eventName:** UpdateTrail
* **use_case:** AWS CloudTrail Disable Logging
* **userIdentity.arn:** arn:aws:iam::671199506904:user/nicferns
* **sourceIPAddress:** 70.180.20.230
* **is_threat:** 1

The user nicferns, from the IP address 70.180.20.230, attempted to disable CloudTrail logging in the us-east-1 region. This could be an attempt to hide malicious activity or to prevent the detection of a security incident.

It is important to investigate this event further to determine if it is a legitimate action or a malicious attempt to disable CloudTrail logging.
__________________________
This row is suspicious because it shows that user "nicferns" with IAM User type, from IP address 70.180.

In [None]:
from langchain_core.messages import HumanMessage
from langchain_google_genai import ChatGoogleGenerativeAI
from google.generativeai.types import HarmCategory, HarmBlockThreshold

llm = ChatGoogleGenerativeAI(model="gemini-pro",google_api_key="AIzaSyB3p0pYwUY7sIa390RQh0XVlLAKhv-Lj9E",
                                temperature=0.7)


# Assuming llm.invoke() expects messages of type 'user'
messages = " why this row is a suspicious explain me with correct info and creativity " + value

# Create a message in the expected format
gen_message = {
    "type": "user",  # Specify the type expected by llm.invoke()
    "content": messages
}

# Invoke your chat model with the message
resp = llm.invoke([gen_message])


In [None]:
resp.content

'This row is suspicious because the `use_case` field is set to `"AWS IAM S3Browser Login Profile Creation"`. This indicates that the event is related to the creation of an S3Browser login profile, which is a tool that allows users to access Amazon S3 buckets using a web browser. The fact that the `is_threat` field is set to `1` indicates that the event is considered to be a potential threat.\n\nThere are a few reasons why this event might be considered suspicious. First, the source IP address is from a country that is known to be a source of malicious activity. Second, the user identity is an IAM user, which is a type of user that is typically used for programmatic access to AWS resources. Third, the event occurred at a time when the user is not typically active.\n\nOverall, this event is suspicious because it has several characteristics that are commonly associated with malicious activity. However, it is important to note that this event is not necessarily evidence of a security breac