<a href="https://colab.research.google.com/github/Sakshi4724/Development-of-Interactive-Cyber-Threat-Visualization-Dashboard/blob/main/SQL_Task.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [None]:

---

### **SQL Task: Cyber Threat Analysis**
~ Sakshi Gote

**SQL Definition:** Structured Query Language is the standard language for managing and manipulating relational databases.
**SQL Use:** Used to store, retrieve, manage, and organize security data efficiently within relational databases.
**Real-world Usage:** Powers Security Information and Event Management (SIEM) systems to track logs and detect breaches.

* **DDL (Data Definition Language):** Commands for defining database structure (e.g., `CREATE`, `DROP`).
* **DML (Data Manipulation Language):** Commands for managing data (e.g., `SELECT`, `INSERT`, `UPDATE`).
* **DCL (Data Control Language):** Commands for permissions (e.g., `GRANT`).
* **TCL (Transaction Control Language):** Commands for managing transactions (e.g., `COMMIT`).

#### **1. SQL Data Types & Table Creation**

**SQL Data Types Definition:** Classifies the type of value stored in a column.

* **INT:** Whole numbers (e.g., `LogID`, `Severity`).
* **VARCHAR/TEXT:** String text (e.g., `IP_Address`, `Attack_Type`).
* **DATETIME:** Date and time values.
* **BOOLEAN:** True/False values (e.g., `Is_Blocked`).

**CREATE TABLE:** Creates a new table in the database.
**INSERT INTO:** Adds new records into the table.

**Example: SecurityLogs Table**

```python
import sqlite3
import pandas as pd
from IPython.display import display

# Create SQLite connection
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()

# Create SecurityLogs table
cursor.execute("""
CREATE TABLE SecurityLogs (
    LogID INTEGER PRIMARY KEY,
    Timestamp TEXT,
    Source_IP TEXT,
    Attack_Type TEXT,
    Severity INTEGER,
    Country TEXT,
    Status TEXT
)
""")

# Insert sample records
cursor.executemany("""
INSERT INTO SecurityLogs VALUES (?, ?, ?, ?, ?, ?, ?)
""", [
    (1, '2025-02-10 08:30', '192.168.1.5', 'DDoS', 85, 'China', 'Blocked'),
    (2, '2025-02-10 09:15', '10.0.0.4', 'SQL Injection', 95, 'Russia', 'Detected'),
    (3, '2025-02-10 10:00', '172.16.0.2', 'Phishing', 45, 'USA', 'Ignored'),
    (4, '2025-02-10 11:45', '192.168.1.10', 'DDoS', 80, 'China', 'Blocked'),
    (5, '2025-02-10 12:00', '10.0.0.8', 'Malware', 70, 'Brazil', 'Quarantined')
])

# Fetch and display table
df = pd.read_sql_query("SELECT * FROM SecurityLogs", conn)
display(df)

```

---

#### **2. SELECT with WHERE Conditions**

* **SELECT:** Used to retrieve specific columns.
* **WHERE:** Used to filter records based on conditions.
* **AND/OR:** Used to combine multiple conditions.

```python
# SELECT specific columns from SecurityLogs
query1 = "SELECT Source_IP, Attack_Type, Severity FROM SecurityLogs"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# SELECT Critical Attacks (Severity > 80)
query2 = "SELECT * FROM SecurityLogs WHERE Severity > 80"
df2 = pd.read_sql_query(query2, conn)
display(df2)

# SELECT DDoS attacks from China
query3 = "SELECT * FROM SecurityLogs WHERE Attack_Type = 'DDoS' AND Country = 'China'"
df3 = pd.read_sql_query(query3, conn)
display(df3)

```

---

#### **3. Aggregate Functions**

* **COUNT():** Returns the total number of logs.
* **SUM():** Returns the total sum of a numeric column.
* **AVG():** Returns the average value.
* **MAX():** Returns the highest value (e.g., max severity).
* **MIN():** Returns the lowest value.

```python
# COUNT total attacks
query1 = "SELECT COUNT(*) AS Total_Attacks FROM SecurityLogs"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# AVG Severity of attacks
query2 = "SELECT AVG(Severity) AS Avg_Severity FROM SecurityLogs"
df2 = pd.read_sql_query(query2, conn)
display(df2)

# MAX Severity recorded
query3 = "SELECT MAX(Severity) AS Max_Risk_Score FROM SecurityLogs"
df3 = pd.read_sql_query(query3, conn)
display(df3)

```

---

#### **4. GROUP BY and HAVING**

* **GROUP BY:** Groups records with the same values (e.g., grouping by Country).
* **HAVING:** Filters grouped records based on conditions (unlike WHERE, which filters rows).

```python
# GROUP attacks by Country
query1 = """
SELECT Country, COUNT(*) as Attack_Count
FROM SecurityLogs
GROUP BY Country
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

# GROUP BY with HAVING (Countries with Avg Severity > 80)
query2 = """
SELECT Country, AVG(Severity) as Avg_Risk
FROM SecurityLogs
GROUP BY Country
HAVING AVG(Severity) > 80
"""
df2 = pd.read_sql_query(query2, conn)
display(df2)

```

---

#### **5. ORDER BY and LIMIT**

* **ORDER BY:** Sorts the result set.
* **ASC:** Ascending order (default).
* **DESC:** Descending order.
* **LIMIT:** Restricts the number of records displayed.

```python
# ORDER attacks by Severity (High to Low)
query1 = "SELECT * FROM SecurityLogs ORDER BY Severity DESC"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# Display Top 3 most critical threats
query2 = "SELECT * FROM SecurityLogs ORDER BY Severity DESC LIMIT 3"
df2 = pd.read_sql_query(query2, conn)
display(df2)

```

---

#### **6. JOINS**

* **JOIN:** Combines rows from two tables.
* **INNER JOIN:** Returns matching records from both tables.
* **LEFT JOIN:** Returns all records from left table and matches from right.

```python
# Create ThreatActors table for Joining
cursor.execute("CREATE TABLE ThreatActors (Attack_Type TEXT, Actor_Group TEXT)")
cursor.executemany("INSERT INTO ThreatActors VALUES (?, ?)", [
    ('DDoS', 'Botnet X'), ('SQL Injection', 'Lizard Squad'), ('Phishing', 'Silent Librarian')
])

# INNER JOIN SecurityLogs with ThreatActors
query1 = """
SELECT SecurityLogs.Source_IP, SecurityLogs.Attack_Type, ThreatActors.Actor_Group
FROM SecurityLogs
INNER JOIN ThreatActors
ON SecurityLogs.Attack_Type = ThreatActors.Attack_Type
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

```

---

#### **7. Subquery & Views**

* **Subquery:** A query inside another query.
* **View:** A virtual table created from a query.

```python
# Subquery: Find attacks with Severity higher than Average
query1 = """
SELECT * FROM SecurityLogs
WHERE Severity > (SELECT AVG(Severity) FROM SecurityLogs)
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

# VIEW: Create a view for Critical Threats
cursor.execute("""
CREATE VIEW CriticalThreats AS
SELECT Source_IP, Attack_Type, Severity
FROM SecurityLogs
WHERE Severity > 80
""")

# Retrieve data from View
df2 = pd.read_sql_query("SELECT * FROM CriticalThreats", conn)
display(df2)

```

---

#### **8. Transaction (TCL)**

* **TRANSACTION:** A set of operations executed as a unit.
* **ROLLBACK:** Undoes changes if an error occurs.

```python
# Update a record (Marking an attack as Resolved)
cursor.execute("UPDATE SecurityLogs SET Status = 'Resolved' WHERE LogID = 1")

# Rollback the transaction (Undo the update)
conn.rollback()

# Verify the Rollback (Status should still be 'Blocked')
df = pd.read_sql_query("SELECT * FROM SecurityLogs WHERE LogID = 1", conn)
display(df)

# Close connection
conn.close()

```


---

### **SQL Task: Cyber Threat Analysis**
~ Sakshi Gote

**SQL Definition:** Structured Query Language is the standard language for managing and manipulating relational databases.
**SQL Use:** Used to store, retrieve, manage, and organize security data efficiently within relational databases.
**Real-world Usage:** Powers Security Information and Event Management (SIEM) systems to track logs and detect breaches.

* **DDL (Data Definition Language):** Commands for defining database structure (e.g., `CREATE`, `DROP`).
* **DML (Data Manipulation Language):** Commands for managing data (e.g., `SELECT`, `INSERT`, `UPDATE`).
* **DCL (Data Control Language):** Commands for permissions (e.g., `GRANT`).
* **TCL (Transaction Control Language):** Commands for managing transactions (e.g., `COMMIT`).

#### **1. SQL Data Types & Table Creation**

**SQL Data Types Definition:** Classifies the type of value stored in a column.

* **INT:** Whole numbers (e.g., `LogID`, `Severity`).
* **VARCHAR/TEXT:** String text (e.g., `IP_Address`, `Attack_Type`).
* **DATETIME:** Date and time values.
* **BOOLEAN:** True/False values (e.g., `Is_Blocked`).

**CREATE TABLE:** Creates a new table in the database.
**INSERT INTO:** Adds new records into the table.

**Example: SecurityLogs Table**

In [None]:
import sqlite3
import pandas as pd
from IPython.display import display

# Create SQLite connection
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()

# Create SecurityLogs table
cursor.execute("""
CREATE TABLE SecurityLogs (
    LogID INTEGER PRIMARY KEY,
    Timestamp TEXT,
    Source_IP TEXT,
    Attack_Type TEXT,
    Severity INTEGER,
    Country TEXT,
    Status TEXT
)
""")

# Insert sample records
cursor.executemany("""
INSERT INTO SecurityLogs VALUES (?, ?, ?, ?, ?, ?, ?)
""", [
    (1, '2025-02-10 08:30', '192.168.1.5', 'DDoS', 85, 'China', 'Blocked'),
    (2, '2025-02-10 09:15', '10.0.0.4', 'SQL Injection', 95, 'Russia', 'Detected'),
    (3, '2025-02-10 10:00', '172.16.0.2', 'Phishing', 45, 'USA', 'Ignored'),
    (4, '2025-02-10 11:45', '192.168.1.10', 'DDoS', 80, 'China', 'Blocked'),
    (5, '2025-02-10 12:00', '10.0.0.8', 'Malware', 70, 'Brazil', 'Quarantined')
])

# Fetch and display table
df = pd.read_sql_query("SELECT * FROM SecurityLogs", conn)
display(df)

Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
1,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected
2,3,2025-02-10 10:00,172.16.0.2,Phishing,45,USA,Ignored
3,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked
4,5,2025-02-10 12:00,10.0.0.8,Malware,70,Brazil,Quarantined


---

#### **2. SELECT with WHERE Conditions**

* **SELECT:** Used to retrieve specific columns.
* **WHERE:** Used to filter records based on conditions.
* **AND/OR:** Used to combine multiple conditions.

In [None]:
# SELECT specific columns from SecurityLogs
query1 = "SELECT Source_IP, Attack_Type, Severity FROM SecurityLogs"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# SELECT Critical Attacks (Severity > 80)
query2 = "SELECT * FROM SecurityLogs WHERE Severity > 80"
df2 = pd.read_sql_query(query2, conn)
display(df2)

# SELECT DDoS attacks from China
query3 = "SELECT * FROM SecurityLogs WHERE Attack_Type = 'DDoS' AND Country = 'China'"
df3 = pd.read_sql_query(query3, conn)
display(df3)

Unnamed: 0,Source_IP,Attack_Type,Severity
0,192.168.1.5,DDoS,85
1,10.0.0.4,SQL Injection,95
2,172.16.0.2,Phishing,45
3,192.168.1.10,DDoS,80
4,10.0.0.8,Malware,70


Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
1,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected


Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
1,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked


---

#### **3. Aggregate Functions**

* **COUNT():** Returns the total number of logs.
* **SUM():** Returns the total sum of a numeric column.
* **AVG():** Returns the average value.
* **MAX():** Returns the highest value (e.g., max severity).
* **MIN():** Returns the lowest value.

In [None]:
# COUNT total attacks
query1 = "SELECT COUNT(*) AS Total_Attacks FROM SecurityLogs"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# AVG Severity of attacks
query2 = "SELECT AVG(Severity) AS Avg_Severity FROM SecurityLogs"
df2 = pd.read_sql_query(query2, conn)
display(df2)

# MAX Severity recorded
query3 = "SELECT MAX(Severity) AS Max_Risk_Score FROM SecurityLogs"
df3 = pd.read_sql_query(query3, conn)
display(df3)

Unnamed: 0,Total_Attacks
0,5


Unnamed: 0,Avg_Severity
0,75.0


Unnamed: 0,Max_Risk_Score
0,95


---

#### **4. GROUP BY and HAVING**

* **GROUP BY:** Groups records with the same values (e.g., grouping by Country).
* **HAVING:** Filters grouped records based on conditions (unlike WHERE, which filters rows).

In [None]:
# GROUP attacks by Country
query1 = """
SELECT Country, COUNT(*) as Attack_Count
FROM SecurityLogs
GROUP BY Country
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

# GROUP BY with HAVING (Countries with Avg Severity > 80)
query2 = """
SELECT Country, AVG(Severity) as Avg_Risk
FROM SecurityLogs
GROUP BY Country
HAVING AVG(Severity) > 80
"""
df2 = pd.read_sql_query(query2, conn)
display(df2)

Unnamed: 0,Country,Attack_Count
0,Brazil,1
1,China,2
2,Russia,1
3,USA,1


Unnamed: 0,Country,Avg_Risk
0,China,82.5
1,Russia,95.0


---

#### **5. ORDER BY and LIMIT**

* **ORDER BY:** Sorts the result set.
* **ASC:** Ascending order (default).
* **DESC:** Descending order.
* **LIMIT:** Restricts the number of records displayed.

In [None]:
# ORDER attacks by Severity (High to Low)
query1 = "SELECT * FROM SecurityLogs ORDER BY Severity DESC"
df1 = pd.read_sql_query(query1, conn)
display(df1)

# Display Top 3 most critical threats
query2 = "SELECT * FROM SecurityLogs ORDER BY Severity DESC LIMIT 3"
df2 = pd.read_sql_query(query2, conn)
display(df2)

Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected
1,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
2,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked
3,5,2025-02-10 12:00,10.0.0.8,Malware,70,Brazil,Quarantined
4,3,2025-02-10 10:00,172.16.0.2,Phishing,45,USA,Ignored


Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected
1,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
2,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked


---

#### **6. JOINS**

* **JOIN:** Combines rows from two tables.
* **INNER JOIN:** Returns matching records from both tables.
* **LEFT JOIN:** Returns all records from left table and matches from right.

In [None]:
# Create ThreatActors table for Joining
cursor.execute("CREATE TABLE ThreatActors (Attack_Type TEXT, Actor_Group TEXT)")
cursor.executemany("INSERT INTO ThreatActors VALUES (?, ?)", [
    ('DDoS', 'Botnet X'), ('SQL Injection', 'Lizard Squad'), ('Phishing', 'Silent Librarian')
])

# INNER JOIN SecurityLogs with ThreatActors
query1 = """
SELECT SecurityLogs.Source_IP, SecurityLogs.Attack_Type, ThreatActors.Actor_Group
FROM SecurityLogs
INNER JOIN ThreatActors
ON SecurityLogs.Attack_Type = ThreatActors.Attack_Type
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

Unnamed: 0,Source_IP,Attack_Type,Actor_Group
0,192.168.1.5,DDoS,Botnet X
1,10.0.0.4,SQL Injection,Lizard Squad
2,172.16.0.2,Phishing,Silent Librarian
3,192.168.1.10,DDoS,Botnet X


#### **LEFT JOIN Example**

We will perform a `LEFT JOIN` on `SecurityLogs` and `ThreatActors` tables using the `Attack_Type` column. This will show all security logs, and if an `Attack_Type` has a corresponding entry in `ThreatActors`, it will display the `Actor_Group`. If there's no match, the `Actor_Group` will be `NULL`.

In [None]:
import sqlite3
import pandas as pd
from IPython.display import display

# Re-create SQLite connection (as it might have been closed by previous cells)
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()

# Re-create SecurityLogs table
cursor.execute("""
CREATE TABLE SecurityLogs (
    LogID INTEGER PRIMARY KEY,
    Timestamp TEXT,
    Source_IP TEXT,
    Attack_Type TEXT,
    Severity INTEGER,
    Country TEXT,
    Status TEXT
)
""")

# Re-insert sample records
cursor.executemany("""
INSERT INTO SecurityLogs VALUES (?, ?, ?, ?, ?, ?, ?)
""", [
    (1, '2025-02-10 08:30', '192.168.1.5', 'DDoS', 85, 'China', 'Blocked'),
    (2, '2025-02-10 09:15', '10.0.0.4', 'SQL Injection', 95, 'Russia', 'Detected'),
    (3, '2025-02-10 10:00', '172.16.0.2', 'Phishing', 45, 'USA', 'Ignored'),
    (4, '2025-02-10 11:45', '192.168.1.10', 'DDoS', 80, 'China', 'Blocked'),
    (5, '2025-02-10 12:00', '10.0.0.8', 'Malware', 70, 'Brazil', 'Quarantined')
])

# Re-create ThreatActors table for Joining
cursor.execute("CREATE TABLE ThreatActors (Attack_Type TEXT, Actor_Group TEXT)")
cursor.executemany("INSERT INTO ThreatActors VALUES (?, ?)", [
    ('DDoS', 'Botnet X'), ('SQL Injection', 'Lizard Squad'), ('Phishing', 'Silent Librarian')
])

query_left_join = """
SELECT
    SL.LogID,
    SL.Timestamp,
    SL.Source_IP,
    SL.Attack_Type,
    SL.Severity,
    SL.Country,
    SL.Status,
    TA.Actor_Group
FROM
    SecurityLogs AS SL
LEFT JOIN
    ThreatActors AS TA ON SL.Attack_Type = TA.Attack_Type
"""
df_left_join = pd.read_sql_query(query_left_join, conn)
display(df_left_join)

# It's good practice to close the connection when done, but for interactive examples,
# you might want to keep it open if subsequent cells depend on it.
# conn.close() # Commented out for now to allow further interaction if needed.

Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status,Actor_Group
0,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked,Botnet X
1,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected,Lizard Squad
2,3,2025-02-10 10:00,172.16.0.2,Phishing,45,USA,Ignored,Silent Librarian
3,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked,Botnet X
4,5,2025-02-10 12:00,10.0.0.8,Malware,70,Brazil,Quarantined,


#### **RIGHT JOIN Example**

We will perform a `RIGHT JOIN` on `SecurityLogs` (left) and `ThreatActors` (right) tables using the `Attack_Type` column. This will show all threat actors, and if an `Attack_Type` has a corresponding entry in `SecurityLogs`, it will display those log details. If a `ThreatActor` has no matching `Attack_Type` in `SecurityLogs`, the `SecurityLogs` columns will be `NULL`.

In [None]:
import sqlite3
import pandas as pd
from IPython.display import display

# Re-create SQLite connection (as it might have been closed by previous cells)
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()

# Re-create SecurityLogs table
cursor.execute("""
CREATE TABLE SecurityLogs (
    LogID INTEGER PRIMARY KEY,
    Timestamp TEXT,
    Source_IP TEXT,
    Attack_Type TEXT,
    Severity INTEGER,
    Country TEXT,
    Status TEXT
)
""")

# Re-insert sample records
cursor.executemany("""
INSERT INTO SecurityLogs VALUES (?, ?, ?, ?, ?, ?, ?)
""", [
    (1, '2025-02-10 08:30', '192.168.1.5', 'DDoS', 85, 'China', 'Blocked'),
    (2, '2025-02-10 09:15', '10.0.0.4', 'SQL Injection', 95, 'Russia', 'Detected'),
    (3, '2025-02-10 10:00', '172.16.0.2', 'Phishing', 45, 'USA', 'Ignored'),
    (4, '2025-02-10 11:45', '192.168.1.10', 'DDoS', 80, 'China', 'Blocked')
    # Note: 'Malware' entry is intentionally omitted here from SecurityLogs
    # to show a ThreatActor without a matching SecurityLog entry.
])

# Re-create ThreatActors table for Joining
cursor.execute("CREATE TABLE ThreatActors (Attack_Type TEXT, Actor_Group TEXT)")
cursor.executemany("INSERT INTO ThreatActors VALUES (?, ?)", [
    ('DDoS', 'Botnet X'),
    ('SQL Injection', 'Lizard Squad'),
    ('Phishing', 'Silent Librarian'),
    ('Malware', 'Dark Web Group') # Added a malware threat actor that might not have a log entry
])

# Rewriting the RIGHT JOIN as a LEFT JOIN by swapping tables
query_right_join = """
SELECT
    SL.LogID,
    SL.Timestamp,
    SL.Source_IP,
    SL.Attack_Type AS LogAttackType,
    SL.Severity,
    SL.Country,
    SL.Status,
    TA.Attack_Type AS ActorAttackType,
    TA.Actor_Group
FROM
    ThreatActors AS TA  -- This is now the 'left' table
LEFT JOIN
    SecurityLogs AS SL ON SL.Attack_Type = TA.Attack_Type -- This is now the 'right' table
"""
df_right_join = pd.read_sql_query(query_right_join, conn)
display(df_right_join)

# conn.close() # Commented out for now to allow further interaction if needed.

Unnamed: 0,LogID,Timestamp,Source_IP,LogAttackType,Severity,Country,Status,ActorAttackType,Actor_Group
0,1.0,2025-02-10 08:30,192.168.1.5,DDoS,85.0,China,Blocked,DDoS,Botnet X
1,4.0,2025-02-10 11:45,192.168.1.10,DDoS,80.0,China,Blocked,DDoS,Botnet X
2,2.0,2025-02-10 09:15,10.0.0.4,SQL Injection,95.0,Russia,Detected,SQL Injection,Lizard Squad
3,3.0,2025-02-10 10:00,172.16.0.2,Phishing,45.0,USA,Ignored,Phishing,Silent Librarian
4,,,,,,,,Malware,Dark Web Group


---

#### **7. Subquery & Views**

* **Subquery:** A query inside another query.
* **View:** A virtual table created from a query.

In [None]:
# Subquery: Find attacks with Severity higher than Average
query1 = """
SELECT * FROM SecurityLogs
WHERE Severity > (SELECT AVG(Severity) FROM SecurityLogs)
"""
df1 = pd.read_sql_query(query1, conn)
display(df1)

# VIEW: Create a view for Critical Threats
cursor.execute("""
CREATE VIEW CriticalThreats AS
SELECT Source_IP, Attack_Type, Severity
FROM SecurityLogs
WHERE Severity > 80
""")

# Retrieve data from View
df2 = pd.read_sql_query("SELECT * FROM CriticalThreats", conn)
display(df2)

Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
0,1,2025-02-10 08:30,192.168.1.5,DDoS,85,China,Blocked
1,2,2025-02-10 09:15,10.0.0.4,SQL Injection,95,Russia,Detected
2,4,2025-02-10 11:45,192.168.1.10,DDoS,80,China,Blocked


Unnamed: 0,Source_IP,Attack_Type,Severity
0,192.168.1.5,DDoS,85
1,10.0.0.4,SQL Injection,95


---

#### **8. Transaction (TCL)**

* **TRANSACTION:** A set of operations executed as a unit.
* **ROLLBACK:** Undoes changes if an error occurs.

In [None]:
# Update a record (Marking an attack as Resolved)
cursor.execute("UPDATE SecurityLogs SET Status = 'Resolved' WHERE LogID = 1")

# Rollback the transaction (Undo the update)
conn.rollback()

# Verify the Rollback (Status should still be 'Blocked')
df = pd.read_sql_query("SELECT * FROM SecurityLogs WHERE LogID = 1", conn)
display(df)

# Close connection
conn.close()

Unnamed: 0,LogID,Timestamp,Source_IP,Attack_Type,Severity,Country,Status
