# SQL Task â€“ Cyber Threat Data Analysis

This notebook demonstrates the use of SQL queries on a cybersecurity threat dataset.
The dataset was generated using AI prompting and analyzed using SQL via SQLite in Google Colab.
All SQL operations are performed based on structured prompts.


## Prompt Used for SQL Environment Setup

"Set up an SQL environment in Google Colab using SQLite to perform SQL queries on a cybersecurity dataset."


In [None]:
import sqlite3
import pandas as pd


## Prompt Used for Loading Dataset into SQL

"Load the cybersecurity CSV dataset into a SQL database table for querying."


In [None]:
# Load CSV
df = pd.read_csv("/content/synthetic_cyber_threats_300.csv")

# Create SQLite database
conn = sqlite3.connect("cyber_threats.db")

# Load DataFrame into SQL table
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)

print("Dataset loaded into SQLite database.")


Dataset loaded into SQLite database.


## Prompt Used for Table Verification

"Verify that the cybersecurity table has been successfully created in the SQL database."


In [None]:
query = "SELECT * FROM cyber_threats LIMIT 5;"
pd.read_sql(query, conn)


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2025-06-03 13:56:29,SQL Injection,API,Medium,Germany,China,220.63.39.84,70.88.151.251,Cloud VM,Windows,Network Device,3389,UDP,Failed,Firewall,105.05,Yes,High,Patch Applied
1,INC0002,2025-11-08 02:45:20,Ransomware,API,High,Brazil,Russia,150.128.225.159,159.20.97.197,Mobile,Android,Database Server,80,TCP,Failed,SIEM,109.86,No,Low,Traffic Filtered
2,INC0003,2025-05-23 07:14:32,SQL Injection,Email,Critical,UK,China,17.181.85.191,79.156.50.166,Database,macOS,Database Server,22,TCP,Blocked,Firewall,81.33,Yes,Medium,Traffic Filtered
3,INC0004,2025-03-13 00:51:58,DDoS,Email,High,USA,China,132.107.13.224,123.167.26.173,Laptop,Windows,Web Server,22,HTTP,Failed,Firewall,119.19,No,Medium,Traffic Filtered
4,INC0005,2025-03-29 18:37:13,Malware,USB,Medium,UK,Germany,86.55.105.71,125.78.86.180,Database,Linux,Database Server,22,HTTPS,Successful,SIEM,69.68,No,Low,Account Disabled


## Prompt Used for Basic Data Retrieval

"Retrieve all cyber attack records from the database."


In [None]:
query = "SELECT * FROM cyber_threats;"
pd.read_sql(query, conn).head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2025-06-03 13:56:29,SQL Injection,API,Medium,Germany,China,220.63.39.84,70.88.151.251,Cloud VM,Windows,Network Device,3389,UDP,Failed,Firewall,105.05,Yes,High,Patch Applied
1,INC0002,2025-11-08 02:45:20,Ransomware,API,High,Brazil,Russia,150.128.225.159,159.20.97.197,Mobile,Android,Database Server,80,TCP,Failed,SIEM,109.86,No,Low,Traffic Filtered
2,INC0003,2025-05-23 07:14:32,SQL Injection,Email,Critical,UK,China,17.181.85.191,79.156.50.166,Database,macOS,Database Server,22,TCP,Blocked,Firewall,81.33,Yes,Medium,Traffic Filtered
3,INC0004,2025-03-13 00:51:58,DDoS,Email,High,USA,China,132.107.13.224,123.167.26.173,Laptop,Windows,Web Server,22,HTTP,Failed,Firewall,119.19,No,Medium,Traffic Filtered
4,INC0005,2025-03-29 18:37:13,Malware,USB,Medium,UK,Germany,86.55.105.71,125.78.86.180,Database,Linux,Database Server,22,HTTPS,Successful,SIEM,69.68,No,Low,Account Disabled


## Prompt Used for Counting Records

"Count the total number of cyber attack incidents recorded in the dataset."


In [None]:
query = "SELECT COUNT(*) AS total_attacks FROM cyber_threats;"
pd.read_sql(query, conn)


Unnamed: 0,total_attacks
0,300


## Prompt Used for Attack Type Distribution

"Analyze the number of cyber attacks grouped by attack type."


In [None]:
query = """
SELECT attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,attack_count
0,SQL Injection,55
1,Phishing,53
2,Brute Force,53
3,DDoS,48
4,Ransomware,47
5,Malware,44


## Prompt Used for Severity-Based Analysis

"Analyze the number of cyber attacks based on severity levels."


In [None]:
query = """
SELECT severity, COUNT(*) AS count
FROM cyber_threats
GROUP BY severity;
"""
pd.read_sql(query, conn)


Unnamed: 0,severity,count
0,Critical,69
1,High,69
2,Low,71
3,Medium,91


## Prompt Used for High Severity Attack Analysis

"Retrieve all cyber attacks classified as High severity."


In [None]:
query = """
SELECT *
FROM cyber_threats
WHERE severity = 'High';
"""
pd.read_sql(query, conn).head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0002,2025-11-08 02:45:20,Ransomware,API,High,Brazil,Russia,150.128.225.159,159.20.97.197,Mobile,Android,Database Server,80,TCP,Failed,SIEM,109.86,No,Low,Traffic Filtered
1,INC0004,2025-03-13 00:51:58,DDoS,Email,High,USA,China,132.107.13.224,123.167.26.173,Laptop,Windows,Web Server,22,HTTP,Failed,Firewall,119.19,No,Medium,Traffic Filtered
2,INC0023,2025-02-14 13:21:20,Malware,Network,High,Brazil,South Korea,15.116.32.39,84.83.41.42,Mobile,Android,Database Server,80,HTTPS,Blocked,Firewall,31.6,Yes,Low,Patch Applied
3,INC0029,2025-07-19 12:24:31,Ransomware,API,High,UK,South Korea,217.245.104.6,154.182.51.67,Cloud VM,Windows,User Account,80,TCP,Successful,Firewall,58.67,Yes,High,IP Blocked
4,INC0031,2025-12-03 14:55:14,Phishing,Network,High,China,France,200.15.131.109,176.177.188.183,Database,Windows,Network Device,3389,HTTPS,Blocked,IDS,92.07,No,Low,Patch Applied


## Prompt Used for Country-Based Attack Analysis

"Analyze cyber attacks based on source country."


In [None]:
query = """
SELECT source_country, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY source_country
ORDER BY total_attacks DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,source_country,total_attacks
0,China,40
1,UK,33
2,Brazil,33
3,France,32
4,Russia,29
5,USA,28
6,India,28
7,Germany,28
8,Japan,25
9,South Korea,24


## Prompt Used for Device Impact Analysis

"Identify the most frequently affected devices in cyber attacks."


In [None]:
query = """
SELECT device_affected, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY device_affected
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,device_affected,attack_count
0,Mobile,66
1,Laptop,64
2,Server,62
3,Cloud VM,56
4,Database,52


## Prompt Used for Attack Outcome Analysis

"Analyze the number of successful versus blocked cyber attacks."


In [None]:
query = """
SELECT status, COUNT(*) AS count
FROM cyber_threats
GROUP BY status;
"""
pd.read_sql(query, conn)


Unnamed: 0,status,count
0,Blocked,89
1,Failed,103
2,Successful,108


## Prompt Used for Target System Analysis

"Identify the top targeted systems based on cyber attack frequency."


In [None]:
query = """
SELECT target_system, COUNT(*) AS count
FROM cyber_threats
GROUP BY target_system
ORDER BY count DESC
LIMIT 10;
"""
pd.read_sql(query, conn)


Unnamed: 0,target_system,count
0,Database Server,86
1,Web Server,75
2,Network Device,70
3,User Account,69


## Prompt Used for Average Severity Impact

"Calculate the average impact level of cyber attacks."


In [None]:
query = """
SELECT AVG(impact_level) AS avg_impact
FROM cyber_threats;
"""
pd.read_sql(query, conn)


Unnamed: 0,avg_impact
0,0.0


### Explanation

The average impact level initially returned 0.0 because the `impact_level` column contained
categorical text values rather than numeric data.
SQL aggregate functions such as AVG require numeric input.
To resolve this, the impact levels were mapped to numeric values and reloaded into the database,
allowing accurate calculation of the average impact level.


In [None]:
query = "PRAGMA table_info(cyber_threats);"
pd.read_sql(query, conn)


Unnamed: 0,cid,name,type,notnull,dflt_value,pk
0,0,incident_id,TEXT,0,,0
1,1,timestamp,TEXT,0,,0
2,2,attack_type,TEXT,0,,0
3,3,attack_vector,TEXT,0,,0
4,4,severity,TEXT,0,,0
5,5,source_country,TEXT,0,,0
6,6,target_country,TEXT,0,,0
7,7,source_ip,TEXT,0,,0
8,8,destination_ip,TEXT,0,,0
9,9,device_affected,TEXT,0,,0


In [None]:
query = "SELECT DISTINCT impact_level FROM cyber_threats;"
pd.read_sql(query, conn)


Unnamed: 0,impact_level
0,High
1,Low
2,Medium


In [None]:
impact_mapping = {
    "Low": 1,
    "Medium": 2,
    "High": 3,
    "Critical": 4
}

df['impact_level_numeric'] = df['impact_level'].map(impact_mapping)


In [None]:
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)


300

In [None]:
query = """
SELECT AVG(impact_level_numeric) AS avg_impact
FROM cyber_threats;
"""
pd.read_sql(query, conn)


Unnamed: 0,avg_impact
0,2.033333


## Prompt Used for Advanced SQL Analysis

"Retrieve attack types that have a higher than average impact level."


In [None]:
query = """
SELECT attack_type, AVG(impact_level_numeric) AS avg_impact
FROM cyber_threats
GROUP BY attack_type
HAVING AVG(impact_level_numeric) > (
    SELECT AVG(impact_level_numeric) FROM cyber_threats
);
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,avg_impact
0,Brute Force,2.169811
1,Malware,2.068182
2,Phishing,2.037736
3,SQL Injection,2.036364


## Prompt Used for Frequent Attack Analysis

"Identify the top 5 most frequent cyber attack types in the dataset."


In [None]:
query = """
SELECT attack_type, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY attack_type
ORDER BY total_attacks DESC
LIMIT 5;
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,total_attacks
0,SQL Injection,55
1,Phishing,53
2,Brute Force,53
3,DDoS,48
4,Ransomware,47


## Prompt Used for High Severity Country Analysis

"Identify countries with the highest number of high severity cyber attacks."


In [None]:
query = """
SELECT source_country, COUNT(*) AS high_severity_attacks
FROM cyber_threats
WHERE severity = 'High'
GROUP BY source_country
ORDER BY high_severity_attacks DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,source_country,high_severity_attacks
0,China,11
1,Brazil,10
2,Russia,9
3,UK,7
4,India,7
5,USA,6
6,France,6
7,South Korea,5
8,Germany,5
9,Japan,3


## Prompt Used for Device and Attack Relationship Analysis

"Analyze which attack types affect different devices most frequently."


In [None]:
query = """
SELECT device_affected, attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY device_affected, attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,device_affected,attack_type,attack_count
0,Laptop,Brute Force,16
1,Database,SQL Injection,14
2,Cloud VM,DDoS,13
3,Cloud VM,Phishing,13
4,Mobile,Ransomware,13
5,Laptop,Phishing,12
6,Mobile,Malware,12
7,Mobile,SQL Injection,12
8,Server,Brute Force,12
9,Server,Ransomware,12


## Prompt Used for Detection Effectiveness Analysis

"Analyze how many cyber attacks were detected by each detection mechanism."


In [None]:
query = """
SELECT detected_by, COUNT(*) AS detected_attacks
FROM cyber_threats
GROUP BY detected_by
ORDER BY detected_attacks DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,detected_by,detected_attacks
0,Firewall,86
1,SIEM,82
2,Antivirus,68
3,IDS,64


## Prompt Used for Average Impact Analysis

"Calculate the average numeric impact level for each attack type."


In [None]:
query = """
SELECT attack_type, ROUND(AVG(impact_level_numeric), 2) AS avg_impact
FROM cyber_threats
GROUP BY attack_type
ORDER BY avg_impact DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,avg_impact
0,Brute Force,2.17
1,Malware,2.07
2,SQL Injection,2.04
3,Phishing,2.04
4,DDoS,1.96
5,Ransomware,1.91


## Prompt Used for Operating System Risk Analysis

"Identify which operating systems are most frequently targeted by cyber attacks."


In [None]:
query = """
SELECT operating_system, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY operating_system
ORDER BY total_attacks DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,operating_system,total_attacks
0,macOS,83
1,Linux,79
2,Android,70
3,Windows,68


## Prompt Used for Attack Outcome Ratio Analysis

"Calculate the ratio of blocked to successful cyber attacks."


In [None]:
query = """
SELECT status, COUNT(*) AS count
FROM cyber_threats
GROUP BY status;
"""
pd.read_sql(query, conn)


Unnamed: 0,status,count
0,Blocked,89
1,Failed,103
2,Successful,108


## SQL Task Explanation

This SQL analysis demonstrates the use of SELECT, WHERE, GROUP BY, ORDER BY,
aggregate functions, and subqueries on a cybersecurity dataset.
The insights derived help identify attack patterns, severity distribution,
geographical risks, and affected systems.


## Prompting Declaration

This SQL task was completed using AI-based prompting.
All SQL queries and analysis steps were executed based on structured prompts
documented in this notebook.
