## Welcome to Vibes Investigation II: Planning with Louie!

**This is Part II of a two-part series on Vibes Investigation:**
- **[Part I](05-vibes-investigation-I.ipynb)**: General investigation techniques and exploratory analysis
- **Part II (this notebook)**: Planning, roadmapping, and strategic analysis

This tutorial demonstrates planning and strategic analysis capabilities with Louie agentic automation. You'll learn how to use Louie for structured problem-solving, creating roadmaps, and breaking down complex tasks into actionable plans.

**Prerequisites:** We recommend completing [Part I](05-vibes-investigation-I.ipynb) first to understand the basics of Louie investigations.

Further reading:

* Louie ReadtheDocs: https://louie-py.readthedocs.io/en/latest/

* Louie GitHub: https://github.com/graphistry/louie-py

* PyGraphistry ReadTheDocs: https://pygraphistry.readthedocs.io/en/latest/

## Welcome to Vibes Investigation II: Planning with Louie!

**This is Part II of a two-part series on Vibes Investigation:**
- **[Part I](05-vibes-investigation-I.ipynb)**: General investigation techniques and exploratory analysis
- **Part II (this notebook)**: Planning, roadmapping, and strategic analysis

This tutorial demonstrates planning and strategic analysis capabilities with Louie agentic automation. You'll learn how to use Louie for structured problem-solving, creating roadmaps, and breaking down complex tasks into actionable plans.

**Prerequisites:** We recommend completing [Part I](05-vibes-investigation-I.ipynb) first to understand the basics of Louie investigations.

Further reading:

* Louie ReadtheDocs: https://louie.readthedocs.io/en/latest/

* Louie GitHub: https://github.com/graphistry/louie-py

* PyGraphistry ReadTheDocs: https://pygraphistry.readthedocs.io/en/latest/

## Setup

### 1. Install

Get package `louieai` using pip or uv. Louie requires Python 3.10+ and Pandas/Arrow

It installs PyGraphistry 0.41+ for auth & graphs

In [1]:
! pip install -q louieai
#! pip install git+https://github.com/graphistry/louie-py.git@feature/cursor-new-method


[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.0.1[0m[39;49m -> [0m[32;49m25.2[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpython3.10 -m pip install --upgrade pip[0m


In [2]:
import graphistry

import louieai

print("graphistry", graphistry.__version__, "louieai", louieai.__version__)

graphistry 0.41.0 louieai 0.5.7.dev8+g984d505


In [3]:
import os

LOUIE_SERVER_URL = os.environ.get("LOUIE_SERVER", "https://den.louie.ai")
GRAPHISTRY_DOMAIN = os.environ.get("GRAPHISTRY_SERVER", "hub.graphistry.com")

# Check for Graphistry personal key credentials
personal_key_id = os.environ.get("GRAPHISTRY_PERSONAL_KEY_ID")
personal_key_secret = os.environ.get("GRAPHISTRY_PERSONAL_KEY_SECRET")
org_name = os.environ.get("GRAPHISTRY_ORG_NAME")

if not personal_key_id or not personal_key_secret or not org_name:
    print("🔐 Graphistry Authentication Required")
    print("=" * 50)
    print("You need a Graphistry personal API key to run this notebook.")
    print("\nTo get credentials:")
    print("1. Sign up/login at https://hub.graphistry.com")
    print("2. Go to https://hub.graphistry.com/users/personal/key/")
    print("3. Create a new personal API key")
    print("=" * 50)
    print("\nPlease enter your credentials:")
    personal_key_id = input("Personal Key ID: ")
    import getpass

    personal_key_secret = getpass.getpass("Personal Key Secret: ")
    org_name = input("Organization Name: ")
    print("\n💡 Tip: For automated execution, set environment variables:")
    print("   export GRAPHISTRY_PERSONAL_KEY_ID='your_key_id'")
    print("   export GRAPHISTRY_PERSONAL_KEY_SECRET='your_key_secret'")
    print("   export GRAPHISTRY_ORG_NAME='your_org_name'")

# MAKE API KEY: https://hub.graphistry.com/users/personal/key/
g = graphistry.register(
    api=3,
    server=GRAPHISTRY_DOMAIN,
    personal_key_id=personal_key_id,
    personal_key_secret=personal_key_secret,
    org_name=org_name,
)

# Future dthreads will reuse these settings by default
share_mode = "Private"
lui = louieai(g, server_url=LOUIE_SERVER_URL, share_mode=share_mode)

print("Connected!")

Connected!


## Notebook 1 - Hi Louie!

Louie is an agent that uses many other LLMs and agents. You can start just as if it is ChatGPT chat.

### Talk as if a chatgpt thread

In [4]:
lui = lui.new(name="Notebook 1 - Hi Louie!")

lui("""

sing me a song

""")

### Louie has memory!

In [5]:
lui(
    """ repeat that fun song... but add in a few extras as if you are a pirate, leaving the rest unchanged..."""
)

## Notebook 2 - Hi Louie 2!

### Start a fresh thread to clear memory

In [6]:
lui = lui.new(name="Notebook 2 - Hi Louie 2!")

lui("What was the song about and with what voice did I use?")

### Louie has a semantic layer over your connected databases!

Louie automatically does agent & tool dispatch for you

You can also specify, e.g., `lui(..., agent='DatabricksAgent')`

In [7]:
lui("""

get 10 rows from a botsv3 table in databricks (o365_management_activity_flat_tcook?)

""")

# optional: ..., agent='DatabricksAgent'

Unnamed: 0,ClientIP,CorrelationId,CreationTime,EventSource,Id,ImplicitShare,ItemType,ListId,ListItemUniqueId,ObjectId,...,SourceFileExtension,SourceFileName,SourceRelativeUrl,UserAgent,UserId,UserKey,UserType,Version,WebId,Workload
0,107.77.213.173,9e627e9e-d0dd-6000-daf9-da44fcd45d4e,2018-08-20T13:16:56,SharePoint,8a1fd9ad-95d3-4bea-a806-08d5f28ec619,No,File,67091393-e290-421e-ac6a-2734e2b12a94,37ab8c26-f775-4a03-97b3-074c81a00f33,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,beverages-02-00034-v2.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
1,107.77.213.173,9e627e9e-60d3-6000-32f0-2235e1b3a20b,2018-08-20T13:16:56,SharePoint,7d1dd9e0-63b3-4277-7a03-08d5f28ec5e3,No,File,67091393-e290-421e-ac6a-2734e2b12a94,bb017930-2bf5-4953-b38a-716ba3217703,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,craftbeerdotcom-beer-styles.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
2,107.77.213.173,9e627e9e-a0db-6000-daf9-da5a21ed5a92,2018-08-20T13:16:56,SharePoint,f5ad6c89-25b3-420c-f889-08d5f28ec656,No,File,67091393-e290-421e-ac6a-2734e2b12a94,456e3291-27ad-455e-9cb7-a01722ffa0fa,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,fundamental of beer and hop chemistry.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
3,40.97.148.181,fa2fd17c-daf8-4062-8f87-d411eb537314,2018-08-20T13:16:54,SharePoint,0ad166f0-5312-4e35-e017-08d5f28ec4fb,,Web,,,fa2fd17c-daf8-4062-8f87-d411eb537314,...,,,,Substrate Search 1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,,SharePoint
4,104.238.59.42,0a627e9e-f0d0-6000-daf9-dc8f468313e3,2018-08-20T13:06:50,SharePoint,9b5ad97e-f03f-4648-a536-08d5f28d5cad,,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
5,65.52.243.21,fb617e9e-c0c7-6000-32f0-2e462ff7bbde,2018-08-20T13:05:48,SharePoint,4b143e6d-91b0-4b07-7253-08d5f28d37c3,,List,67091393-e290-421e-ac6a-2734e2b12a94,,https://frothly-my.sharepoint.com/personal/pce...,...,,,,ODMTADocCache/1.0,app@sharepoint,i:0i.t|00000003-0000-0ff1-ce00-000000000000|ap...,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
6,104.238.59.42,f9617e9e-f0de-6000-32f0-299be8e0a683,2018-08-20T13:05:40,SharePoint,a1cac3e4-3102-4e0c-d258-08d5f28d3331,No,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
7,104.238.59.42,f8617e9e-a0d4-6000-3667-381044fbe5d3,2018-08-20T13:05:36,SharePoint,7d6f73bd-f3c3-4c95-7b24-08d5f28d30de,,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
8,199.66.91.253,08557e9e-2041-6000-daf9-d90e9f2c1023,2018-08-20T11:55:22,SharePoint,d7ee3d62-60cb-427b-b0db-08d5f26d99f1,No,File,67091393-e290-421e-ac6a-2734e2b12a94,57c5cd78-2a0f-42ee-8dab-afce305ec89e,https://frothly-my.sharepoint.com/personal/fyo...,...,tar,archive.tar,Documents,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6...,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
9,199.66.91.253,fc547e9e-f0c2-6000-1d75-39268176f5e6,2018-08-20T11:54:35,SharePoint,cf2ae00e-0efc-41e5-d0dc-08d5f26d7e46,Yes,File,76079ea8-0a58-414e-b493-8580089c8419,7ba794f0-38aa-45d8-8d2a-3c932e87e4f5,https://frothly-my.sharepoint.com/User Photos/...,...,jpg,fyodor_froth_ly_SThumb.jpg,User Photos/Profile Pictures,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6...,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,3b605151-ac0a-46ff-9e16-14e04be8a8a1,SharePoint


### Louie can show you its reasoning!

In [8]:
lui(
    """

get 10 rows from a botsv3 table in databricks (o365_management_activity_flat_tcook?)

""",
    traces=True,
)

Unnamed: 0,ClientIP,CorrelationId,CreationTime,EventSource,Id,ImplicitShare,ItemType,ListId,ListItemUniqueId,ObjectId,...,SourceFileExtension,SourceFileName,SourceRelativeUrl,UserAgent,UserId,UserKey,UserType,Version,WebId,Workload
0,107.77.213.173,9e627e9e-d0dd-6000-daf9-da44fcd45d4e,2018-08-20T13:16:56,SharePoint,8a1fd9ad-95d3-4bea-a806-08d5f28ec619,No,File,67091393-e290-421e-ac6a-2734e2b12a94,37ab8c26-f775-4a03-97b3-074c81a00f33,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,beverages-02-00034-v2.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
1,107.77.213.173,9e627e9e-60d3-6000-32f0-2235e1b3a20b,2018-08-20T13:16:56,SharePoint,7d1dd9e0-63b3-4277-7a03-08d5f28ec5e3,No,File,67091393-e290-421e-ac6a-2734e2b12a94,bb017930-2bf5-4953-b38a-716ba3217703,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,craftbeerdotcom-beer-styles.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
2,107.77.213.173,9e627e9e-a0db-6000-daf9-da5a21ed5a92,2018-08-20T13:16:56,SharePoint,f5ad6c89-25b3-420c-f889-08d5f28ec656,No,File,67091393-e290-421e-ac6a-2734e2b12a94,456e3291-27ad-455e-9cb7-a01722ffa0fa,https://frothly-my.sharepoint.com/personal/fyo...,...,pdf,fundamental of beer and hop chemistry.pdf,Documents,OneDriveMpc/1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
3,40.97.148.181,fa2fd17c-daf8-4062-8f87-d411eb537314,2018-08-20T13:16:54,SharePoint,0ad166f0-5312-4e35-e017-08d5f28ec4fb,,Web,,,fa2fd17c-daf8-4062-8f87-d411eb537314,...,,,,Substrate Search 1.0,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,,SharePoint
4,104.238.59.42,0a627e9e-f0d0-6000-daf9-dc8f468313e3,2018-08-20T13:06:50,SharePoint,9b5ad97e-f03f-4648-a536-08d5f28d5cad,,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
5,65.52.243.21,fb617e9e-c0c7-6000-32f0-2e462ff7bbde,2018-08-20T13:05:48,SharePoint,4b143e6d-91b0-4b07-7253-08d5f28d37c3,,List,67091393-e290-421e-ac6a-2734e2b12a94,,https://frothly-my.sharepoint.com/personal/pce...,...,,,,ODMTADocCache/1.0,app@sharepoint,i:0i.t|00000003-0000-0ff1-ce00-000000000000|ap...,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
6,104.238.59.42,f9617e9e-f0de-6000-32f0-299be8e0a683,2018-08-20T13:05:40,SharePoint,a1cac3e4-3102-4e0c-d258-08d5f28d3331,No,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
7,104.238.59.42,f8617e9e-a0d4-6000-3667-381044fbe5d3,2018-08-20T13:05:36,SharePoint,7d6f73bd-f3c3-4c95-7b24-08d5f28d30de,,File,67091393-e290-421e-ac6a-2734e2b12a94,d2c4bb13-c97e-4707-9e9b-53dc0e2513b5,https://frothly-my.sharepoint.com/personal/pce...,...,pptx,Beer styles.pptx,Documents,Microsoft Office PowerPoint 2014,pcerf@froth.ly,i:0h.f|membership|1003bffdac730049@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
8,199.66.91.253,08557e9e-2041-6000-daf9-d90e9f2c1023,2018-08-20T11:55:22,SharePoint,d7ee3d62-60cb-427b-b0db-08d5f26d99f1,No,File,67091393-e290-421e-ac6a-2734e2b12a94,57c5cd78-2a0f-42ee-8dab-afce305ec89e,https://frothly-my.sharepoint.com/personal/fyo...,...,tar,archive.tar,Documents,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6...,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,7acb35b6-e1ec-44ed-9099-38580e330ed0,OneDrive
9,199.66.91.253,fc547e9e-f0c2-6000-1d75-39268176f5e6,2018-08-20T11:54:35,SharePoint,cf2ae00e-0efc-41e5-d0dc-08d5f26d7e46,Yes,File,76079ea8-0a58-414e-b493-8580089c8419,7ba794f0-38aa-45d8-8d2a-3c932e87e4f5,https://frothly-my.sharepoint.com/User Photos/...,...,jpg,fyodor_froth_ly_SThumb.jpg,User Photos/Profile Pictures,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6...,fyodor@froth.ly,i:0h.f|membership|1003bffda2e71ff9@live.com,0,1,3b605151-ac0a-46ff-9e16-14e04be8a8a1,SharePoint


### Compose with dataframes to draw graph!

In [9]:
df_id = lui.elements[-1]["id"]
df_id

'B_AtOaNJeM'

In [10]:
lui(f"""

draw a graph from dataframe {df_id} using any interesting columns as nodes

""")

## Notebook 3 - Unplanned ReAct

Question:

> What IAM resource was targeted for access key creation event using the leaked AWS key? An attacker obtained unauthorized AWS access via a leaked access key: AKIAJOGCDXJ5NW5PXUPA

This is a full BOTS question, over 100+ splunk indexes...

* Now what ????????
* How long to solve????

In [11]:
lui = lui.new(name="Notebook 3 - BOTS Q1 - Unplanned ReAct")

lui(
    """
What IAM resource was targeted for access key creation event using the leaked AWS key? An attacker obtained unauthorized AWS access via a leaked access key: AKIAJOGCDXJ5NW5PXUPA
(hint: use databricks o365_management_activity_flat_tcook)
""",
    traces=True,
)

Unnamed: 0,index,description,table_name,pretty_index
63,`samples`.`information_schema`.`information_sc...,`samples`.`information_schema`.`information_sc...,information_schema_catalog_name,samples.information_schema.information_schema_...
4,`client_demos`.`botsv3`.`o365_management_activ...,`client_demos`.`botsv3`.`o365_management_activ...,o365_management_activity_flat_tcook,client_demos.botsv3.o365_management_activity_f...
29,`client_demos`.`information_schema`.`table_tags`,`client_demos`.`information_schema`.`table_tag...,table_tags,client_demos.information_schema.table_tags
23,`client_demos`.`information_schema`.`row_filters`,`client_demos`.`information_schema`.`row_filte...,row_filters,client_demos.information_schema.row_filters
2,`client_demos`.`botsv3`.`ms_o365_management`,`client_demos`.`botsv3`.`ms_o365_management`:\...,ms_o365_management,client_demos.botsv3.ms_o365_management
152,`system`.`information_schema`.`information_sch...,`system`.`information_schema`.`information_sch...,information_schema_catalog_name,system.information_schema.information_schema_c...
25,`client_demos`.`information_schema`.`schema_tags`,`client_demos`.`information_schema`.`schema_ta...,schema_tags,client_demos.information_schema.schema_tags
3,`client_demos`.`botsv3`.`o365_management_activ...,`client_demos`.`botsv3`.`o365_management_activ...,o365_management_activity,client_demos.botsv3.o365_management_activity
176,`system`.`information_schema`.`table_share_usage`,`system`.`information_schema`.`table_share_usa...,table_share_usage,system.information_schema.table_share_usage
165,`system`.`information_schema`.`row_filters`,`system`.`information_schema`.`row_filters`:\n...,row_filters,system.information_schema.row_filters


In [12]:
lui("summarize the answer")

## Notebook 4 - Plan-based breakdown

### Strategies

In [13]:
lui = lui.new(name="Notebook 4 - Q1 BOTS - Planned")

lui("""

We want to answer:
`What IAM resource was targeted for access key creation event using the leaked AWS key? An attacker obtained unauthorized AWS access via a leaked access key: AKIAJOGCDXJ5NW5PXUPA`

- Hint: use databricks o365_management_activity_flat_tcook

Don't solve it yet

Just come up with 5 high-level strategies of how to solve this, which we will turn into a plan of steps.
Put the most viable strategy first
""")

### Plan

In [14]:
STEP_RULES = """
- Step format: `- [<⬜🏃✅❌>] <step#:1Aa.i> <short instr> => <result_summary if done>`
- Wrap steps list in <STEPS>- ... \n- ...</STEPS>
- Ex: `- [❌] 2Fc.ii Run databricks query 'SELECT * ...' to find the bad guy => syntax error xyz, add new substep with corrected syntax
- Step types typically: Research, Plan, Query, Validate, Cross-Validate, Update TODOs, FINAL ANSWER
- Hint: use databricks o365_management_activity_flat_tcook
- Hint: Steps can be Concrete, or abstract/generative to make new steps!
- Hint: we should validate key findings like valid tables, queries, entities, etc
- Restriction: We can only grow up to 20 steps, so be judicious
"""

lui(f"""

Great. Now:

Break this down into a sequence of concrete steps, keep under 10 for now
{STEP_RULES}

Ok, now give me the plan of steps, and mark the first as 🏃!
""")

### Loop

In [15]:
LOOP = f"""

Looks good!

Let's take a full step of working through the plan, meaning all of 1 + 2A + (2Bi or 2Bii)

1. Repeat everything we outputted so we don't forget
2. Step instruction:
A. Take the step
- Do it!
- Reoutput the full plan steps with updated status, findings
Bi. And then, if you think we're done.. say FINAL ANSWER: <answer>
Bii. Otherwise, if you think we have more to investigate, decide & perform:
* do next step
* or replan steps and continue
* or go to next strategy and generate a fresh plan for it & go

Reminder:
<step_rules>
{STEP_RULES}
</step_rules>

Make sure you do all of 1 + 2A + (2Bi or 2Bii). A full step means we've successfully changed the step status to next phase in ⬜🏃✅❌, cannot be repeat, must progress.
"""

In [16]:
lui(LOOP)

Unnamed: 0,index,description,table_name,pretty_index
4,`client_demos`.`botsv3`.`o365_management_activ...,`client_demos`.`botsv3`.`o365_management_activ...,o365_management_activity_flat_tcook,client_demos.botsv3.o365_management_activity_f...
158,`system`.`information_schema`.`recipient_allow...,`system`.`information_schema`.`recipient_allow...,recipient_allowed_ip_ranges,system.information_schema.recipient_allowed_ip...
3,`client_demos`.`botsv3`.`o365_management_activ...,`client_demos`.`botsv3`.`o365_management_activ...,o365_management_activity,client_demos.botsv3.o365_management_activity
140,`system`.`information_schema`.`catalog_provide...,`system`.`information_schema`.`catalog_provide...,catalog_provider_share_usage,system.information_schema.catalog_provider_sha...
2,`client_demos`.`botsv3`.`ms_o365_management`,`client_demos`.`botsv3`.`ms_o365_management`:\...,ms_o365_management,client_demos.botsv3.ms_o365_management
23,`client_demos`.`information_schema`.`row_filters`,`client_demos`.`information_schema`.`row_filte...,row_filters,client_demos.information_schema.row_filters


In [17]:
lui(LOOP)

In [18]:
lui(LOOP)

### Auto-loop!

In [19]:
lui(
    f"""Ok now do Full Steps until we have a FINAL ANSWER / Exhausted 20 full Steps- Do not halt until FINAL ANSWER or we exhausted 20 full steps- Errors just mean more steps/strategies.- Each full step, reoutput in full entirety all of <INSTRUCTIONS>...</INSTRUCTIONS> + <STEPS>...</STEPS> so we don't forget<INSTRUCTIONS>{LOOP}</INSTRUCTIONS>Keep going until we have FINAL ANSWER, do not stop iterating for any reason except exhausting 20 full steps"""
)

## Conclusion

🎉 **Congratulations!** You've completed the Vibes Investigation series!

**What you've learned:**
- **Part I**: General investigation techniques, data exploration, and insight discovery
- **Part II**: Strategic planning, structured problem-solving, and automated task execution

**Next steps:**
- Apply these techniques to your own investigations and planning tasks
- Explore other [Louie agents](https://louie-py.readthedocs.io/en/latest/reference/agents/) for specialized workflows
- Join the community and share your experiences!

**Need to review?**
- **[Back to Part I](05-vibes-investigation-I.ipynb)** - General investigation techniques

Happy investigating and planning with Louie! 🚀

In [None]:
# Example: Loading and reusing templates\n\n# Method 1: Use Louie threads as template storage (like in Vibes I)\ntemplate_thread = lui.new(name="Planning Template Storage")\ntemplate_thread("""\nPlanning Template for Security Investigations:\n\n1. UNDERSTAND THE QUESTION\n   - What specific security event are we investigating?\n   - What time period is relevant?\n   - What systems/users are involved?\n\n2. GATHER CONTEXT\n   - Query relevant logs and tables\n   - Identify key indicators\n   - Map relationships between entities\n\n3. ANALYZE PATTERNS\n   - Look for anomalies\n   - Compare with baseline behavior\n   - Identify attack vectors\n\n4. BUILD TIMELINE\n   - Sequence events chronologically\n   - Identify cause and effect\n   - Find gaps in the data\n\n5. CONCLUDE\n   - Summarize findings\n   - Identify root cause\n   - Recommend remediation\n""")\n\n# Now use the template in a new investigation\ninvestigation = lui.new(name="New Security Investigation")\ninvestigation(f"""\nRead dthread {template_thread.thread_id} for the planning template.\n\nApply that template to investigate: \nWhich users had failed login attempts followed by successful logins from different IPs?\n""")\n\n# Method 2: Load from external files (for team sharing)\n# with open("templates/security_planning.md", "r") as f:\n#     SECURITY_TEMPLATE = f.read()\n#\n# lui(f"""\n# {SECURITY_TEMPLATE}\n# \n# Investigate: {your_question}\n# """)\n

## 🎯 BOTS V3 Challenge Questions

BOTSv3 2xx are easier than BOTSv3 3xx

### Table to use: o365_management_activity_flat_tcook

1. Which external IP address accessed the most files

2. Which user uploaded the most files to OneDrive?

3. Which file was accessed by the largest number of distinct users who also previewed or modified it, potentially signaling internal collaboration or insider exposure?

4. A search query originating from an external IP address of Frothly's mail server yields some interesting search terms. What is the search string?

### Table to use: Client_demos.botsv3.cloudtrail

1. What IAM resource was targeted for access key creation event using the leaked AWS key?

2. What is the user agent used with leaked AWS key to perform describe account

3. The adversary attempts to launch an Ubuntu cloud image using a compromised IAM user account. What is the source IP address associated with this first attempt to run an instance? Username <<answer from question 1>>

In [None]:
# Starter code for BOTS investigations\n# Uncomment and modify for your specific question\n\n# # Example: Investigating external IP access (200-level)\n# investigation = lui.new(name="BOTS 200 - External IP Analysis")\n# investigation(f"""\n# {STEP_RULES}\n# \n# Investigate: Which external IP address accessed the most files in o365_management_activity_flat_tcook?\n# \n# Plan:\n# - Step 1: Explore table schema and understand IP address fields\n# - Step 2: Query for sample data to see IP patterns\n# - Step 3: Identify which IPs are external vs internal\n# - Step 4: Count file access events grouped by external IPs\n# - Step 5: Find the top accessor\n# """)\n\n# # Example: AWS IAM investigation (300-level)\n# aws_investigation = lui.new(name="BOTS 300 - AWS Compromise")\n# aws_investigation(f"""\n# {STEP_RULES}\n# \n# Investigate the AWS key compromise in Client_demos.botsv3.cloudtrail:\n# 1. Find IAM resources targeted for access key creation\n# 2. Identify the user agent used\n# 3. Track instance launch attempts\n# \n# Start with understanding the cloudtrail event structure.\n# """)

## 🎯 Your Turn: Explore More BOTS Questions\!

Congratulations on completing the Vibes Investigation II tutorial\! You've learned how to use Louie for planning-based problem solving. Now it's time to apply these techniques to more challenging scenarios.

### 📊 Try These BOTS V3 Questions

The BOTS V3 dataset contains many interesting security scenarios. Here are some questions to explore:

1. **Network Analysis**: Which internal hosts communicated with known malicious IPs?
2. **User Behavior**: Identify unusual login patterns or privilege escalations
3. **Data Exfiltration**: Find evidence of large data transfers to external destinations
4. **Malware Detection**: Locate suspicious processes or file modifications
5. **Timeline Reconstruction**: Build a timeline of the security incident

### 🔧 Pro Tip: Centralized Templates

Instead of copying planning templates into each notebook, use the technique from Vibes Investigation I to load templates from external files:



### 📚 Benefits of External Templates

- **Consistency**: All team members use the same proven templates
- **Maintenance**: Update templates in one place, benefit everywhere
- **Sharing**: Easy to share best practices across teams
- **Version Control**: Track template improvements over time
- **Specialization**: Create templates for different types of investigations

### 🚀 Next Steps

1. Create your own  folder
2. Save your best planning prompts as  files
3. Build a library of templates for different scenarios
4. Share successful templates with your team
5. Iterate and improve based on results

### 💡 Example Template Structure



Happy investigating\! 🔍✨
