## **Introduction: Who are We**

-----------------------
### Workshop Lead: Louai Abboud
- Former ISSessions President
- Current ISSessions Vice President
- 3rd Year Student @ Sheridan
- Threat Hunting Internship @ Bell Canada
- C3X Organizer
- Security Interests: Threat Hunting, Detection Engineering, Data Analysis, Pandas/Jupyter Notebooks
- Interests: Reading (Forgotten Realms Universe, Dune, Old Classics), Dancing, Netflix, Being around People 

### Workshop Assistants: 
- Kurt Kousbek, President
- Nashad Hakim, Treasurer
- Cem Celen, Community Manager
- Yusef Islaih, Webmaster 
-------------------------

## **Agenda**
----------------
1. Why Pandas?
2. Tool Tour: Docker + Jupyter Lab
3. Prerequisite: Python Crash Course
4. Part 1: Pandas Theory
5. Part 2: Basic Pandas Operations
6. Part 3: Data Modification, Filtering, and Aggregation
7. Part 4: Data Correlation
8. Bonus: Analyzing Known Malware URLs using URLHAUS Dataset
-----------------

## **Introduction: Why Pandas?**
---------------------------------

- Pandas is a Python Data Analytics Library (like PySpark)
- It simplies the data analysis process by providing a simple interface by which a Data Analyst can:
    - Clean (Often Messy!) Data
    - Filter on (Lots & Lots of) Data
    - Aggregate on Data -> Statistics! Statistics! Statistics!
    - Correlate Data -> Intelligence = Data Correlation + Contextualization
    - Visualize Data -> A picture is worth a million words!
    - Produce Reports -> Management luv dem reports!!! <3
- Why Pandas for Security? 
    - Cybersecurity is an exercise in data collection, filtering, enrichment, correlation, contextualization, and communication.   
    - Security is all about making the right decisions at the right time. Ex: An alert 
        - Right Decisions -> Require Actionable Intelligence
        - Right Time -> Require Aggressive Automation
---------------------------------

## **Where is Pandas Used in Security?**
---------------------------------------
- **Threat Detection**: Pandas can help us correlate malicious indicators (look at the work of Cyberwardog and Cyberpanda). Malicious indicators are often spread out across Email Logs, Host Logs, IDPS Logs, Packet Captures, Proxy Logs, AV Logs. By itself, a single malicious indicator does not give us a lot of information. Pandas can help us correlate by:
    - Host
    - User
    - Process
    - IP
- **Incident Response**: Pandas can help us cut the time from initial breach to incident remediation. I know that I've been breached. What information do I need to collect in the next hour? What are the first 8-10 questions I would ask? Can I automate the collection and reporting of that information?
- **Threat Intelligence**: Pandas helps us contextualize log data with information from internal and external APIs and services. A ton of data is publicly available over hundreds if not thousands of public APIs (VirusTotal, IPVoid, DomainTools, PhishTank, OpenPhish, Crowdstrike etc.). Large organizations often have internal APIs to assist IT staff with automation. For example:
    - enrich username information with business unit, job title, etc.
    - enrich hostnames with application information
    - enrich IP/domain information with geolocation, registration date, blacklist information 
- **Machine Learning**: 
- **Adhoc Automation, Data Analysis, and Reporting**: Pandas can help you answer adhoc questions that may come up. Which of my servers are not sending logs? How many people clicked the link? Which advanced persistent threats often target clothing and fashion industry based on threat intelligence feeds?
-----------------------------------------

## **Other Reasons for Learning Pandas**
-----------------------------------------
- Who doesn't love pandas? ;)
- Automation and Programming skills are IN - crazy shortage in our industry!
- Fun <- able to answer ANY question based on existing data <-- IT'S A SUPERPOWER
-----------------------------------------

## **Tools: Docker**
-------------------------

- Containerization Technology: provide process, filesystem, network isolation
- Much lighter than VMs: 1) contain only processes, services, and files you bake into them; 2) no hardware virtualization.
- Great for prototyping, development, and testing. I didn't set up a JupyterLab server, I spun up a pre-built JupyterLab container.
- Almost Zero Cleanup: When you yeet the container is destroyed, you yeet everything in it.
    
**After Workshop Cleanup**: 
1. Open the Windows Command Prompt
2. docker container ls 
3. docker container stop \<container_id\>
4. docker container rm \<container_id\>
------------------

## **Tools: JupyterLab Demo**
----------------------------

1. How to Run a Cell?
2. How to Restart the Kernel and Clear all Outputs?
-----------------------------

## **Prerequisite: Python Crash Course**

### Variable Declaration

In [1]:
x = 1 
y = 3.14
word = "I am a string"
print(word)

I am a string


### Declaring a List

In [2]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
# empty_list = []
a_list

[1, 2, 2, 3, 4, 5, 6, 7, 7]

### Accessing List Elements

In [3]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
a_list[0]

1

### Slicing a List 

In [4]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
a_list[5:8]

[5, 6, 7]

### Adding an Element to a List

In [5]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
a_list.append(30000000000000)
a_list

[1, 2, 2, 3, 4, 5, 6, 7, 7, 30000000000000]

### Removing an Element from a List

In [6]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
a_list.remove(7) # Remove by name, Removes first element only
# a_list.pop(7) # Remove by index and get the value returned
# a_list.clear() # Removes everything in the list, result is an empty list
a_list

[1, 2, 2, 3, 4, 5, 6, 7]

### Getting the Length of a List

In [7]:
a_list = [1, 2, 2, 3, 4, 5, 6 ,7, 7]
len(a_list)

9

### List Comprehensions

In [8]:
numbers = [1, 1, 3, 1]
numbers_plus_2 = [n + 2 for n in numbers] # Can also add an if ... else ... just before the "for"
numbers_plus_2

[3, 3, 5, 3]

### Declaring a Dictionary

In [9]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
# empty_dictionary = {}
a_dictionary

{'Key': 'Value',
 1: 'An Integer Key - Yep You can Mix and Match',
 'a_list': ['Yep', 'A', 'List', 'Inside', 'A', 'Dictionary']}

### Accessing Dictionary Elements

In [10]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
a_dictionary["Key"]

'Value'

### Adding a Dictionary Element

In [11]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
a_dictionary['New_Key'] = "New_Value"
a_dictionary

{'Key': 'Value',
 1: 'An Integer Key - Yep You can Mix and Match',
 'a_list': ['Yep', 'A', 'List', 'Inside', 'A', 'Dictionary'],
 'New_Key': 'New_Value'}

### Removing a Dictionary Element

In [12]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
del a_dictionary["Key"]
a_dictionary

{1: 'An Integer Key - Yep You can Mix and Match',
 'a_list': ['Yep', 'A', 'List', 'Inside', 'A', 'Dictionary']}

### Accessing all Dictionary Keys

In [13]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
a_dictionary.keys()

dict_keys(['Key', 1, 'a_list'])

### Accessing all Dictionary Values

In [14]:
a_dictionary = {
    "Key": "Value",
    1: "An Integer Key - Yep You can Mix and Match",
    "a_list": ["Yep", "A", "List", "Inside", "A", "Dictionary"]
}
a_dictionary.values()

dict_values(['Value', 'An Integer Key - Yep You can Mix and Match', ['Yep', 'A', 'List', 'Inside', 'A', 'Dictionary']])

### If Statements

In [15]:
the_answer_to_the_meaning_of_life = 42
if the_answer_to_the_meaning_of_life == 42:
    print("IT IS 42")
elif the_answer_to_the_meaning_of_life == 12:
    print("IT IS 12")
else:
    print("THERE IS NO MEANING TO LIFE.")

IT IS 42


### For Loops

In [16]:
GOT_characters = ["little finger", "arya stark", "Jon Snow", "Ygritte", "tyrion lannister"]
my_favorite_character = "tyrion lannister"
for GOT_character in GOT_characters:
    if GOT_character == my_favorite_character:
        print("{0} is my favorite character!!!!".format(GOT_character))
    else:
        print("{0} is NOT my favorite character. {1} is!".format(GOT_character, my_favorite_character))

little finger is NOT my favorite character. tyrion lannister is!
arya stark is NOT my favorite character. tyrion lannister is!
Jon Snow is NOT my favorite character. tyrion lannister is!
Ygritte is NOT my favorite character. tyrion lannister is!
tyrion lannister is my favorite character!!!!


### Common String Operations: Splitting a String into a List of Elements

In [17]:
lets_split_this_baby = "I am about to be split noooooooooooooooo"
split_into_a_list = lets_split_this_baby.split()
split_into_a_list

['I', 'am', 'about', 'to', 'be', 'split', 'noooooooooooooooo']

### Common String Operations: Joining a List Into a String

In [18]:
split_into_a_list = ["I", "shall", "be", "whole", "again!"] 
whole_again = " ".join(split_into_a_list) 
whole_again

'I shall be whole again!'

### Common String Operations: Replacing a Word in a String

In [19]:
vulgar_language = "WHAT THE FUCK DUDE!"
better = vulgar_language.replace("FUCK", "FUDGE").replace("WHAT", "MAKE").lower()
better

'make the fudge dude!'

### Common String Operations: Finding a Substring

In [20]:
sentence = "The pen is mightier than the sword."
word = "sword"
if word in sentence:
    print(True)

True


### Other Common String Operations

In [21]:
"love conquers all".endswith("all") # True
"fear is the mind killer".startswith("fear") # False
"WOOOOW".lower() # "woooow"
"hodor".upper() # HODOR

'HODOR'

### Functions

In [22]:
def merge_two_strings(stringA, stringB):
    return stringA + " " + stringB

joined_string = merge_two_strings("Oh how the moon", "yearns for the sun")
joined_string

'Oh how the moon yearns for the sun'

### Checking the Type of an Object

In [23]:
x = 4
word = "haha"
animals = ["zebra", "dog", "cat"]
print(type(x))
print(type(word))
print(type(animals))

<class 'int'>
<class 'str'>
<class 'list'>


-------------------------------------------------------------------------------
### **Exercise: Write a Function That Counts the Number of Times a Word Ending in "orrow" Appears in The Provided Poem**

In [24]:
the_raven_opening = """
Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore-
    While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping, rapping at my chamber door.
"'Tis some visitor," I muttered, "tapping at my chamber door-
            Only this and nothing more."

    Ah, distinctly I remember it was in the bleak December;
And each separate dying ember wrought its ghost upon the floor.
    Eagerly I wished the morrow; vainly I had sought to borrow
    From my books surcease of sorrow, sorrow for the lost Lenore-
For the rare and radiant maiden whom the angels name Lenore-
            Nameless here for evermore.
"""

def how_many_orrows(poem):
    
    punctuation = ',\".;-'
    for char in poem:
        if char in punctuation:
            poem = poem.replace(char, "")
    
    word_list = poem.split()
    
    num_of_words_ending_in_morrow = 0
    for word in word_list:
        if word.endswith("orrow"):
            num_of_words_ending_in_morrow = num_of_words_ending_in_morrow + 1
    
    return num_of_words_ending_in_morrow
    

how_many_orrows(the_raven_opening)

4

------------------------------------------------------

## **Part #1: Basic Pandas Theory and Terminology**

- Dataframe = Table
- Series = Column or a Row
- Index = Row Labels
- NumPy arrays
    - what Series are under the hood
    - they are implementation of high perfromance arrays and matrices for scientific computing
    - stored more efficiently than lists
    - allow for vectorized computing as opposed to looping constructs

---------------------------------------------

## **Part #2: Basic Pandas Operations**

### Setup and Imports

In [25]:
import pandas as pd
import numpy as np

### Initializing a Dataframe: Dictionary of Lists

In [26]:
ids = ['A', 'B', 'C', 'D', 'E', 'F', 'A']
names = ['Nash', 'Kurt', 'Louai', 'Jamie', 'Yusef', 'Cem', 'Nash']
positions = ['Treasurer', 'President', 'Vice President', 'Events Manager', 'Webmaster', 'Community Manager', 'Treasurer']
ages = ['29', '26', '25', '20', '12', None, '29']
how_cool = ['11', '7', '11', '7', '3', None, '11']

data = {
    "ids": ids,
    "names": names,
    "positions": positions,
    "ages": ages,
    "how_cool": how_cool
}

df = pd.DataFrame(data)
df

Unnamed: 0,ids,names,positions,ages,how_cool
0,A,Nash,Treasurer,29.0,11.0
1,B,Kurt,President,26.0,7.0
2,C,Louai,Vice President,25.0,11.0
3,D,Jamie,Events Manager,20.0,7.0
4,E,Yusef,Webmaster,12.0,3.0
5,F,Cem,Community Manager,,
6,A,Nash,Treasurer,29.0,11.0


### Initializing a Dataframe: List of Dictionaries

In [27]:
data = [
    {"ids": "A", "names": "Nash", "positions": "Treasurer", "ages": "29", "how_cool": "11"},
    {"ids": "A", "names": "Nash", "positions": "Treasurer", "ages": "29", "how_cool": "11"}, 
    {"ids": "B", "names": "Kurt", "positions": "President", "ages": "26", "how_cool": "7"}, 
    {"ids": "C", "names": "Louai", "positions": "Vice President", "ages": "25", "how_cool": "11"}, 
    {"ids": "D", "names": "Jamie", "positions": "Events Manager", "ages": "20", "how_cool": "7"}, 
    {"ids": "E", "names": "Yusef", "positions": "Webmaster", "ages": "12", "how_cool": "3"}, 
    {"ids": "F", "names": "Cem", "positions": "Community Manager", "ages": None, "how_cool": None}
]

df = pd.DataFrame(data)
df

Unnamed: 0,ids,names,positions,ages,how_cool
0,A,Nash,Treasurer,29.0,11.0
1,A,Nash,Treasurer,29.0,11.0
2,B,Kurt,President,26.0,7.0
3,C,Louai,Vice President,25.0,11.0
4,D,Jamie,Events Manager,20.0,7.0
5,E,Yusef,Webmaster,12.0,3.0
6,F,Cem,Community Manager,,


### Selecting a Row

In [28]:
first_three_rows_df = df.iloc[0:3]
first_three_rows_df

Unnamed: 0,ids,names,positions,ages,how_cool
0,A,Nash,Treasurer,29,11
1,A,Nash,Treasurer,29,11
2,B,Kurt,President,26,7


### Selecting a Column (As a DataFrame)

In [29]:
column_list = ["names", "positions"]
names_and_positions_df = df[column_list]
names_and_positions_df

Unnamed: 0,names,positions
0,Nash,Treasurer
1,Nash,Treasurer
2,Kurt,President
3,Louai,Vice President
4,Jamie,Events Manager
5,Yusef,Webmaster
6,Cem,Community Manager


### Selecting a Column (As a Series)

In [30]:
how_cool_series = df['how_cool']
print(type(how_cool_series))
how_cool_series

<class 'pandas.core.series.Series'>


0      11
1      11
2       7
3      11
4       7
5       3
6    None
Name: how_cool, dtype: object

### Selecting a Row and a Column

In [31]:
df.loc[1:3, ["positions", "names"]]

Unnamed: 0,positions,names
1,Treasurer,Nash
2,President,Kurt
3,Vice President,Louai


### Setting the Index

In [32]:
df_with_ids_index = df.set_index('ids')
df_with_ids_index

Unnamed: 0_level_0,names,positions,ages,how_cool
ids,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
A,Nash,Treasurer,29.0,11.0
A,Nash,Treasurer,29.0,11.0
B,Kurt,President,26.0,7.0
C,Louai,Vice President,25.0,11.0
D,Jamie,Events Manager,20.0,7.0
E,Yusef,Webmaster,12.0,3.0
F,Cem,Community Manager,,


### Selecting the Index

In [33]:
df_with_ids_index.index

Index(['A', 'A', 'B', 'C', 'D', 'E', 'F'], dtype='object', name='ids')

### Resetting the Index

In [34]:
df_with_ids_index.reset_index(drop=False) # If drop = True, we would lose the ids column

Unnamed: 0,ids,names,positions,ages,how_cool
0,A,Nash,Treasurer,29.0,11.0
1,A,Nash,Treasurer,29.0,11.0
2,B,Kurt,President,26.0,7.0
3,C,Louai,Vice President,25.0,11.0
4,D,Jamie,Events Manager,20.0,7.0
5,E,Yusef,Webmaster,12.0,3.0
6,F,Cem,Community Manager,,


### Adding a Column

In [35]:
df_with_new_column = df
df_with_new_column['Favourite Book'] = ['Ella Enchanted', 'Ella Enchanted', 'Ella Enchanted', 'Dune', 'Dune', 'Homeland', 'Homeland']
df_with_new_column

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
1,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
2,B,Kurt,President,26.0,7.0,Ella Enchanted
3,C,Louai,Vice President,25.0,11.0,Dune
4,D,Jamie,Events Manager,20.0,7.0,Dune
5,E,Yusef,Webmaster,12.0,3.0,Homeland
6,F,Cem,Community Manager,,,Homeland


### Removing a Column

In [36]:
df_with_new_column.drop(['Favourite Book'], axis=1)

Unnamed: 0,ids,names,positions,ages,how_cool
0,A,Nash,Treasurer,29.0,11.0
1,A,Nash,Treasurer,29.0,11.0
2,B,Kurt,President,26.0,7.0
3,C,Louai,Vice President,25.0,11.0
4,D,Jamie,Events Manager,20.0,7.0
5,E,Yusef,Webmaster,12.0,3.0
6,F,Cem,Community Manager,,


### Adding a Row

In [37]:
df = df.append({"ids": "G", "names": "Nick", "positions": "Club Advisor", "ages": None, "how_cool": None}, 
          ignore_index=True) # Not specifying a "Favourite Book" causes a "NaN", Pandas' way of showing a missing value.
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
1,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
2,B,Kurt,President,26.0,7.0,Ella Enchanted
3,C,Louai,Vice President,25.0,11.0,Dune
4,D,Jamie,Events Manager,20.0,7.0,Dune
5,E,Yusef,Webmaster,12.0,3.0,Homeland
6,F,Cem,Community Manager,,,Homeland
7,G,Nick,Club Advisor,,,


### Removing a Row

In [38]:
df = df.drop(df.index[7], axis=0)
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
1,A,Nash,Treasurer,29.0,11.0,Ella Enchanted
2,B,Kurt,President,26.0,7.0,Ella Enchanted
3,C,Louai,Vice President,25.0,11.0,Dune
4,D,Jamie,Events Manager,20.0,7.0,Dune
5,E,Yusef,Webmaster,12.0,3.0,Homeland
6,F,Cem,Community Manager,,,Homeland


### Getting Dataframe Column Data Types

In [39]:
df.dtypes

ids               object
names             object
positions         object
ages              object
how_cool          object
Favourite Book    object
dtype: object

### Filling in Missing Values

In [40]:
negative_one_for_missing_values_df = df.fillna(-1)
negative_one_for_missing_values_df 

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,C,Louai,Vice President,25,11,Dune
4,D,Jamie,Events Manager,20,7,Dune
5,E,Yusef,Webmaster,12,3,Homeland
6,F,Cem,Community Manager,-1,-1,Homeland


In [41]:
no_nas_df = df.dropna()
no_nas_df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,C,Louai,Vice President,25,11,Dune
4,D,Jamie,Events Manager,20,7,Dune
5,E,Yusef,Webmaster,12,3,Homeland


### Dropping Duplicate Rows

In [42]:
df = negative_one_for_missing_values_df
no_duplicates_df = df.drop_duplicates()
no_duplicates_df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,C,Louai,Vice President,25,11,Dune
4,D,Jamie,Events Manager,20,7,Dune
5,E,Yusef,Webmaster,12,3,Homeland
6,F,Cem,Community Manager,-1,-1,Homeland


### Setting a Column's Data Type

In [43]:
df['ages'] = df['ages'].astype(int)
df['how_cool'] = df['how_cool'].astype(int)
df.dtypes

ids               object
names             object
positions         object
ages               int64
how_cool           int64
Favourite Book    object
dtype: object

---------------------------------
### **Exercise: Perform the Following Operations on the Data Provided**
- Make a Dataframe
- Change Column Data Types to Appropriate Value
- Deal with Duplicates (What do?)
- Set the index to RatingID
- Deal with Missing Data: Drop or Fill (And with what?)
- Set Approprite Data Types for all Columns
- *Extra #1*: Give me the average course rating and the average professor rating (using Pandas, of course :P)
- *Extra #2*: Give me the highest course rating and the highest professor rating (using Pandas, of course :P)

In [44]:
course_prof_ratings = [
    {"RatingID": "A", "CourseID": "SEC1123", "Professor": "Minerva McGonagall", "Course Rating": "7", "Professor Rating": "10"},
    {"RatingID": "B", "CourseID": "SEC2343", "Professor": "John Keating", "Course Rating": "8", "Professor Rating": "3"},
    {"RatingID": "C", "CourseID": "SEC2343", "Professor": "John Keating", "Course Rating": "8", "Professor Rating": "3"},
    {"RatingID": "D", "CourseID": "SEC7866", "Professor": "Vivian Banks", "Course Rating": "5", "Professor Rating": "6"},
    {"RatingID": "E", "CourseID": "PROG980", "Professor": "Peter Venkman", "Course Rating": np.nan, "Professor Rating": np.nan},
    {"RatingID": "F", "CourseID": "PROG898", "Professor": "Abraham Van Helsing", "Course Rating": np.nan, "Professor Rating": np.nan},
]

# Gotcha: NaN applies only to floats, not integers

# Make a Dataframe
course_prof_ratings_df = pd.DataFrame(course_prof_ratings)

# Set Data Types
course_prof_ratings_df['Course Rating'] = course_prof_ratings_df['Course Rating'].astype(float)
course_prof_ratings_df['Professor Rating'] = course_prof_ratings_df['Professor Rating'].astype(float)

# Set the index to RatingID
course_prof_ratings_df = course_prof_ratings_df.set_index(['RatingID'])

# Deal with Missing Data: Drop or Fill (And with what?)
course_prof_ratings_df['Course Rating'] = course_prof_ratings_df['Course Rating'].fillna(course_prof_ratings_df['Course Rating'].mean())
course_prof_ratings_df['Professor Rating'] = course_prof_ratings_df['Professor Rating'].fillna(course_prof_ratings_df['Professor Rating'].mean())

# Deal with Duplicates
#course_prof_ratings_df.drop_duplicates() # But does that make sense?

# Extra #1: Average Course Rating and Average Professor Rating
print("Average Course Rating: {0}".format(course_prof_ratings_df['Course Rating'].mean()))
print("Average Professor Rating: {0}".format(course_prof_ratings_df['Professor Rating'].mean()))

# Extra #2: Max Course Rating and Max Professor Rating
print("Max Course Rating: {0}".format(course_prof_ratings_df['Course Rating'].max()))
print("Max Professor Rating: {0}".format(course_prof_ratings_df['Professor Rating'].max()))

course_prof_ratings_df

Average Course Rating: 7.0
Average Professor Rating: 5.5
Max Course Rating: 8.0
Max Professor Rating: 10.0


Unnamed: 0_level_0,CourseID,Professor,Course Rating,Professor Rating
RatingID,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
A,SEC1123,Minerva McGonagall,7.0,10.0
B,SEC2343,John Keating,8.0,3.0
C,SEC2343,John Keating,8.0,3.0
D,SEC7866,Vivian Banks,5.0,6.0
E,PROG980,Peter Venkman,7.0,5.5
F,PROG898,Abraham Van Helsing,7.0,5.5


------------------------------------------

## **Part #3: Data Modification, Filtering, and Aggregation**

### Back to ISSessions Executives Dataframe

In [45]:
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,C,Louai,Vice President,25,11,Dune
4,D,Jamie,Events Manager,20,7,Dune
5,E,Yusef,Webmaster,12,3,Homeland
6,F,Cem,Community Manager,-1,-1,Homeland


### Filtering Data: Simple Filter

In [46]:
simple_filter = df['how_cool'] > 9 # Anyone who is coolter than a 9
df[simple_filter].reset_index(drop=True)

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,C,Louai,Vice President,25,11,Dune


### Filtering Data: AND

In [47]:
and_filter = (df['positions'].str.contains("President$")) & (df['how_cool'] > 9) # anyone that has President in their title and is coolter than a 9 
df[and_filter].reset_index(drop=True)

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,C,Louai,Vice President,25,11,Dune


### Filtering Data: OR

In [48]:
or_filter = (df['names'].str.len() < 4) | (df['Favourite Book'].str.contains("Ella Enchanted")) # names with less than 4 letters or those who love Ella Enchanted
df[or_filter].reset_index(drop=True)

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,F,Cem,Community Manager,-1,-1,Homeland


### Filtering Data: NOT

In [49]:
not_filter = ~(df['ages'] == 25) # Anyone who is not aged 25
df[not_filter].reset_index(drop=True)

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,11,Ella Enchanted
1,A,Nash,Treasurer,29,11,Ella Enchanted
2,B,Kurt,President,26,7,Ella Enchanted
3,D,Jamie,Events Manager,20,7,Dune
4,E,Yusef,Webmaster,12,3,Homeland
5,F,Cem,Community Manager,-1,-1,Homeland


### Applying an Operation on a Column in a Dataframe: Simple Math

In [50]:
df['how_cool'] = df['how_cool'] * 2 # Changing the coolness scale to be out of 20
df['how_cool'] = df['how_cool'].replace(-2, -1) # Replace the -2 (NA) with -1
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book
0,A,Nash,Treasurer,29,22,Ella Enchanted
1,A,Nash,Treasurer,29,22,Ella Enchanted
2,B,Kurt,President,26,14,Ella Enchanted
3,C,Louai,Vice President,25,22,Dune
4,D,Jamie,Events Manager,20,14,Dune
5,E,Yusef,Webmaster,12,6,Homeland
6,F,Cem,Community Manager,-1,-1,Homeland


### Applying an Operation on a Column in a Dataframe: List Comprehension

In [51]:
df['signature'] = ["{0}, {1}".format(name, position) for name, position in zip(df['names'] , df['positions'])]
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book,signature
0,A,Nash,Treasurer,29,22,Ella Enchanted,"Nash, Treasurer"
1,A,Nash,Treasurer,29,22,Ella Enchanted,"Nash, Treasurer"
2,B,Kurt,President,26,14,Ella Enchanted,"Kurt, President"
3,C,Louai,Vice President,25,22,Dune,"Louai, Vice President"
4,D,Jamie,Events Manager,20,14,Dune,"Jamie, Events Manager"
5,E,Yusef,Webmaster,12,6,Homeland,"Yusef, Webmaster"
6,F,Cem,Community Manager,-1,-1,Homeland,"Cem, Community Manager"


### Applying an Operation on a Column in a Dataframe Based on a Value in Another Column: Series.apply()

In [52]:
def change_nash_fav_book_to_giver(name, fav_book):
    if name == "Nash":
        return "The Giver"
    else:
        return fav_book
            
df['Favourite Book'] = df.apply(lambda x: change_nash_fav_book_to_giver(x['names'], x['Favourite Book']), axis=1)
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book,signature
0,A,Nash,Treasurer,29,22,The Giver,"Nash, Treasurer"
1,A,Nash,Treasurer,29,22,The Giver,"Nash, Treasurer"
2,B,Kurt,President,26,14,Ella Enchanted,"Kurt, President"
3,C,Louai,Vice President,25,22,Dune,"Louai, Vice President"
4,D,Jamie,Events Manager,20,14,Dune,"Jamie, Events Manager"
5,E,Yusef,Webmaster,12,6,Homeland,"Yusef, Webmaster"
6,F,Cem,Community Manager,-1,-1,Homeland,"Cem, Community Manager"


### Applying an Operation on a Column in a Dataframe Based on a Value in Another Column: Filtering and Selection

In [53]:
df.loc[df['names'] == "Nash", 'Favourite Book'] = "Ella Enchanted"
df

Unnamed: 0,ids,names,positions,ages,how_cool,Favourite Book,signature
0,A,Nash,Treasurer,29,22,Ella Enchanted,"Nash, Treasurer"
1,A,Nash,Treasurer,29,22,Ella Enchanted,"Nash, Treasurer"
2,B,Kurt,President,26,14,Ella Enchanted,"Kurt, President"
3,C,Louai,Vice President,25,22,Dune,"Louai, Vice President"
4,D,Jamie,Events Manager,20,14,Dune,"Jamie, Events Manager"
5,E,Yusef,Webmaster,12,6,Homeland,"Yusef, Webmaster"
6,F,Cem,Community Manager,-1,-1,Homeland,"Cem, Community Manager"


### Data Aggregation: How Many ISSession Executives Like a Certain Book? Which Ones? What is their Average Age? What is their Average coolness?

In [54]:
df = df.replace(-1, np.nan) # Replace -1 with NaN because aggregation operation will typically ignore NaNs

def calc_average_age(col):
    return col.sum() / col.count()

aggregated_data = df.groupby(['Favourite Book']).agg(
          name_count=('names', 'count'), # Builtin 
          name_list=('names', lambda x: ",".join(x.unique())), # Lambda Custom Operation
          average_age=('ages', calc_average_age), # Custom Function
          average_coolness=('how_cool', 'mean') # Builtin
        )

aggregated_data

Unnamed: 0_level_0,name_count,name_list,average_age,average_coolness
Favourite Book,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
Dune,2,"Louai,Jamie",22.5,18.0
Ella Enchanted,3,"Nash,Kurt",28.0,19.333333
Homeland,2,"Yusef,Cem",12.0,6.0


### Data Sorting: Sort By Name Count *Then* Avergae coolness 

In [55]:
aggregated_data.sort_values(['name_count', 'average_coolness'], ascending=False)

Unnamed: 0_level_0,name_count,name_list,average_age,average_coolness
Favourite Book,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
Ella Enchanted,3,"Nash,Kurt",28.0,19.333333
Dune,2,"Louai,Jamie",22.5,18.0
Homeland,2,"Yusef,Cem",12.0,6.0


### Querying a Dataframe's Memory Consumption

In [56]:
df.memory_usage(deep=True) # Memory Usage by Column in Bytes

Index             376
ids               406
names             429
positions         480
ages               56
how_cool           56
Favourite Book    465
signature         524
dtype: int64

----------------------------------------------
### Exercise: Answer the Following Questions Based on the Data Provided
- Question #1: Produce a dataframe that lists all destination_ips that sent out more than 500 bytes or were contacted by source_ip 10.10.99.11? Sort by bytes_out in descending order.
- Question #2: Produce a dataframe that the describes the total and the average number of bytes each user sent out across all sessions? Sort by bytes_out in descending order.
- Question #3: You realize that a hardware error caused all sessions with a source ip of 10.10.99.11 caused all "bytes_in" values to be cut by half (4000 -> 2000). Can you fix the problem? 
- *Extra*: Produce a dataframe that describes the total number of bytes (in and out) by user and source ip. Sort by total bytes in descending order.

In [57]:
session_data = [
    {"session_id": "A", "user": "Thrall", "source_ip": "10.10.99.6", "destination_ip": "142.3.3.3", "bytes_in": 452, "bytes_out": 4564},
    {"session_id": "B", "user": "Jaina Proudmoore", "source_ip": "10.10.99.11", "destination_ip": "142.3.3.3", "bytes_in": 500, "bytes_out": 232}, 
    {"session_id": "C", "user": "Illidan Stormrage", "source_ip": "10.10.99.6", "destination_ip": "142.3.4.5", "bytes_in": 25, "bytes_out": 11}, 
    {"session_id": "D", "user": "Thrall", "source_ip": "10.10.99.11", "destination_ip": "142.3.4.5", "bytes_in": 4535, "bytes_out": 443}, 
    {"session_id": "E", "user": "Jaina Proudmoore", "source_ip": "10.10.99.5", "destination_ip": "142.3.4.5", "bytes_in": 12, "bytes_out": 5345}, 
    {"session_id": "F", "user": "Illidan Stormrage", "source_ip": "10.10.99.11", "destination_ip": "142.3.3.3", "bytes_in": 3423, "bytes_out": 45353}
]

# Make a Dataframe
sessions_df = pd.DataFrame(session_data)
sessions_df

Unnamed: 0,session_id,user,source_ip,destination_ip,bytes_in,bytes_out
0,A,Thrall,10.10.99.6,142.3.3.3,452,4564
1,B,Jaina Proudmoore,10.10.99.11,142.3.3.3,500,232
2,C,Illidan Stormrage,10.10.99.6,142.3.4.5,25,11
3,D,Thrall,10.10.99.11,142.3.4.5,4535,443
4,E,Jaina Proudmoore,10.10.99.5,142.3.4.5,12,5345
5,F,Illidan Stormrage,10.10.99.11,142.3.3.3,3423,45353


### Question #1: Produce a dataframe that lists all destination_ips that sent out more than 500 bytes or were contacted by source_ip 10.10.99.11? Sort by bytes_out in descending order.

In [58]:
sessions_df[(sessions_df['source_ip'] == "10.10.99.11") | (sessions_df['bytes_out'] > 500)] \
    .sort_values(['bytes_out'], ascending=False) \
    .set_index(['session_id'])

Unnamed: 0_level_0,user,source_ip,destination_ip,bytes_in,bytes_out
session_id,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1
F,Illidan Stormrage,10.10.99.11,142.3.3.3,3423,45353
E,Jaina Proudmoore,10.10.99.5,142.3.4.5,12,5345
A,Thrall,10.10.99.6,142.3.3.3,452,4564
D,Thrall,10.10.99.11,142.3.4.5,4535,443
B,Jaina Proudmoore,10.10.99.11,142.3.3.3,500,232


### Question #2: Produce a dataframe that the describes the total and the average number of bytes each user sent out across all sessions? Sort by bytes_out in descending order.

In [59]:
sessions_df.groupby(['user']).agg(
    total_bytes_out=('bytes_out', 'sum'),
    avg_bytes_out=('bytes_out', 'mean')
)

Unnamed: 0_level_0,total_bytes_out,avg_bytes_out
user,Unnamed: 1_level_1,Unnamed: 2_level_1
Illidan Stormrage,45364,22682.0
Jaina Proudmoore,5577,2788.5
Thrall,5007,2503.5


### Question #3: You realize that a hardware error caused all sessions with a source ip of 10.10.99.11 caused all "bytes_in" values to be cut by half (4000 -> 2000). Can you fix the problem?

In [60]:
sessions_df['bytes_in'] = [bytes_in * 2 if source_ip == "10.10.99.11" else bytes_in for source_ip, bytes_in in zip(sessions_df['source_ip'], sessions_df['bytes_in'])]
sessions_df

Unnamed: 0,session_id,user,source_ip,destination_ip,bytes_in,bytes_out
0,A,Thrall,10.10.99.6,142.3.3.3,452,4564
1,B,Jaina Proudmoore,10.10.99.11,142.3.3.3,1000,232
2,C,Illidan Stormrage,10.10.99.6,142.3.4.5,25,11
3,D,Thrall,10.10.99.11,142.3.4.5,9070,443
4,E,Jaina Proudmoore,10.10.99.5,142.3.4.5,12,5345
5,F,Illidan Stormrage,10.10.99.11,142.3.3.3,6846,45353


### Extra: Produce a dataframe that describes the total number of bytes (in and out) by user and source ip. Sort by total bytes in descending order.

In [61]:
sessions_df['bytes_total'] = sessions_df['bytes_in'] + sessions_df['bytes_out']
sessions_df.groupby(['user', 'source_ip']) \
           .agg(bytes_tot_by_user_and_ip=('bytes_total', 'sum')) \
           .sort_values(['bytes_tot_by_user_and_ip'], ascending=False)

Unnamed: 0_level_0,Unnamed: 1_level_0,bytes_tot_by_user_and_ip
user,source_ip,Unnamed: 2_level_1
Illidan Stormrage,10.10.99.11,52199
Thrall,10.10.99.11,9513
Jaina Proudmoore,10.10.99.5,5357
Thrall,10.10.99.6,5016
Jaina Proudmoore,10.10.99.11,1232
Illidan Stormrage,10.10.99.6,36


-----------------------------------------------

## **Part #4: Data Correlation (Key-Based)**

In [62]:
network_connection_data = [
    {"connection_id": "A", "source_ip": "10.10.99.6", "destination_ip": "142.3.3.3", "source_port": 56444, "destination_port": 22, "process_id": "ABC"},
    {"connection_id": "B", "source_ip": "10.10.99.11", "destination_ip": "142.3.3.3", "source_port": 12789, "destination_port": 25, "process_id": "DEF"}, 
    {"connection_id": "C", "source_ip": "10.10.99.6", "destination_ip": "142.3.4.5", "source_port": 32333, "destination_port": 443, "process_id": "ABC"}, 
    {"connection_id": "D", "source_ip": "10.10.99.11", "destination_ip": "142.3.4.5", "source_port": 5645, "destination_port": 4444, "process_id": "DEF"}, # IOC
    {"connection_id": "E", "source_ip": "10.10.99.6", "destination_ip": "142.3.4.5", "source_port": 3425, "destination_port": 80, "process_id": "ABC"}, 
    {"connection_id": "F", "source_ip": "10.10.99.11", "destination_ip": "142.3.3.3", "source_port": 3423, "destination_port": 443, "process_id": "DEF"}
]

network_connection_df = pd.DataFrame(network_connection_data)
network_connection_df

Unnamed: 0,connection_id,source_ip,destination_ip,source_port,destination_port,process_id
0,A,10.10.99.6,142.3.3.3,56444,22,ABC
1,B,10.10.99.11,142.3.3.3,12789,25,DEF
2,C,10.10.99.6,142.3.4.5,32333,443,ABC
3,D,10.10.99.11,142.3.4.5,5645,4444,DEF
4,E,10.10.99.6,142.3.4.5,3425,80,ABC
5,F,10.10.99.11,142.3.3.3,3423,443,DEF


In [63]:
process_data = [
    {"process_id": "ABC", "process_name": "WindowsTerminal.exe", "process_commandline": "WindowsTerminal.exe"},
    {"process_id": "DEF", "process_name": "Slackk.exe", "process_commandline": "Slackk.exe -e cmd.exe"}, # Launching a Shell 
    {"process_id": "DEF", "process_name": "Slackk.exe", "process_commandline": "Slackk.exe -exf nothing_suspicious_here.zip"},
    {"process_id": "GHI", "process_name": "powershell.exe", "process_commandline": "powershell.exe -command 'Get-Process'"}
]

process_data_df = pd.DataFrame(process_data)
process_data_df

Unnamed: 0,process_id,process_name,process_commandline
0,ABC,WindowsTerminal.exe,WindowsTerminal.exe
1,DEF,Slackk.exe,Slackk.exe -e cmd.exe
2,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip
3,GHI,powershell.exe,powershell.exe -command 'Get-Process'


In [64]:
merged_df = process_data_df.merge(right=network_connection_df, how="inner", on="process_id")
merged_df

Unnamed: 0,process_id,process_name,process_commandline,connection_id,source_ip,destination_ip,source_port,destination_port
0,ABC,WindowsTerminal.exe,WindowsTerminal.exe,A,10.10.99.6,142.3.3.3,56444,22
1,ABC,WindowsTerminal.exe,WindowsTerminal.exe,C,10.10.99.6,142.3.4.5,32333,443
2,ABC,WindowsTerminal.exe,WindowsTerminal.exe,E,10.10.99.6,142.3.4.5,3425,80
3,DEF,Slackk.exe,Slackk.exe -e cmd.exe,B,10.10.99.11,142.3.3.3,12789,25
4,DEF,Slackk.exe,Slackk.exe -e cmd.exe,D,10.10.99.11,142.3.4.5,5645,4444
5,DEF,Slackk.exe,Slackk.exe -e cmd.exe,F,10.10.99.11,142.3.3.3,3423,443
6,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,B,10.10.99.11,142.3.3.3,12789,25
7,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,D,10.10.99.11,142.3.4.5,5645,4444
8,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,F,10.10.99.11,142.3.3.3,3423,443


In [65]:
merged_df['source'] = merged_df['source_ip'] + ":" + merged_df['source_port'].astype(str)
merged_df['destination'] = merged_df['destination_ip'] + ":" + merged_df['destination_port'].astype(str)
merged_df = merged_df.drop(['source_ip', 'source_port', 'destination_ip', 'destination_port'], axis=1)
merged_df

Unnamed: 0,process_id,process_name,process_commandline,connection_id,source,destination
0,ABC,WindowsTerminal.exe,WindowsTerminal.exe,A,10.10.99.6:56444,142.3.3.3:22
1,ABC,WindowsTerminal.exe,WindowsTerminal.exe,C,10.10.99.6:32333,142.3.4.5:443
2,ABC,WindowsTerminal.exe,WindowsTerminal.exe,E,10.10.99.6:3425,142.3.4.5:80
3,DEF,Slackk.exe,Slackk.exe -e cmd.exe,B,10.10.99.11:12789,142.3.3.3:25
4,DEF,Slackk.exe,Slackk.exe -e cmd.exe,D,10.10.99.11:5645,142.3.4.5:4444
5,DEF,Slackk.exe,Slackk.exe -e cmd.exe,F,10.10.99.11:3423,142.3.3.3:443
6,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,B,10.10.99.11:12789,142.3.3.3:25
7,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,D,10.10.99.11:5645,142.3.4.5:4444
8,DEF,Slackk.exe,Slackk.exe -exf nothing_suspicious_here.zip,F,10.10.99.11:3423,142.3.3.3:443


In [66]:
report_df = merged_df.groupby(['process_id', 'process_name']) \
         .agg(
    process_commandlines=('process_commandline', lambda x: ", ".join(x.unique())),
    destinations=('destination', lambda x: ", ".join(x.unique()))
    )
report_df

Unnamed: 0_level_0,Unnamed: 1_level_0,process_commandlines,destinations
process_id,process_name,Unnamed: 2_level_1,Unnamed: 3_level_1
ABC,WindowsTerminal.exe,WindowsTerminal.exe,"142.3.3.3:22, 142.3.4.5:443, 142.3.4.5:80"
DEF,Slackk.exe,"Slackk.exe -e cmd.exe, Slackk.exe -exf nothing...","142.3.3.3:25, 142.3.4.5:4444, 142.3.3.3:443"


### Reporting: Convert to JSON

In [67]:
import json
json.loads(report_df.to_json())

{'process_commandlines': {"('ABC', 'WindowsTerminal.exe')": 'WindowsTerminal.exe',
  "('DEF', 'Slackk.exe')": 'Slackk.exe -e cmd.exe, Slackk.exe -exf nothing_suspicious_here.zip'},
 'destinations': {"('ABC', 'WindowsTerminal.exe')": '142.3.3.3:22, 142.3.4.5:443, 142.3.4.5:80',
  "('DEF', 'Slackk.exe')": '142.3.3.3:25, 142.3.4.5:4444, 142.3.3.3:443'}}

### Reporting: Convert to CSV

In [68]:
report_df.to_csv("report.csv")
# report_df.to_excel("report.xlsx")

### Reporting: Convert to HTML

In [69]:
report_df.to_html("report.html")