In [None]:
import pandas as pd

# Chemin vers le fichier CSV
chemin_fichier_csv = '/content/train_dataset.csv'

# Charger les données dans un DataFrame
df = pd.read_csv(chemin_fichier_csv)

# Afficher les premières lignes du DataFrame pour vérifier
print(df.head())

                                               Input  \
0  write a kql query for Detect .jse file creatio...   
1    write a kql query for Qakbot Craigslist Domains   
2  write a kql query for Gootkit malware delivery...   
3  write a kql query for Powercat exploitation to...   
4  write a kql query for Connectivity Failures by...   

                                              Output  \
0  \n​// Creation of any .jse file, including leg...   
1  This query looks for network connections to do...   
2   \nAlertInfo | where Title =~ "Suspected deliv...   
3  \nDeviceProcessEvents | where FileName has_any...   
4  \nlet TargetURLs = dynamic(['crl.microsoft.com...   

                                                text  
0  ###Human:\nwrite a kql query for Detect .jse f...  
1  ###Human:\nwrite a kql query for Qakbot Craigs...  
2  ###Human:\nwrite a kql query for Gootkit malwa...  
3  ###Human:\nwrite a kql query for Powercat expl...  
4  ###Human:\nwrite a kql query for Connectivity ..

In [None]:
print(df.describe())

# Vérifier les valeurs manquantes
print(df.isnull().sum())

                                                Input          Output  \
count                                             272             272   
unique                                            263             265   
top     write a kql query for Jupyter AKA SolarMarker  No query found   
freq                                                3               5   

                                                     text  
count                                                 272  
unique                                                270  
top     ###Human:\nwrite a kql query for Qakbot Craigs...  
freq                                                    2  
Input     0
Output    0
text      0
dtype: int64


In [None]:
df = df.query("Output != 'No query found'")

In [None]:
df= df.loc[df['Output'] != 'No query found']

In [None]:
import re

In [None]:
def clean_kql(kql):
    # Supprimer les commentaires
    kql_cleaned = re.sub(r'//.*?$|/\*.*?\*/', '', kql, flags=re.DOTALL | re.MULTILINE)
    # Supprimer les URLs
    kql_cleaned = re.sub(r'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', '', kql_cleaned)

    return kql_cleaned.strip()

In [None]:
df['Output'] = df['Output'].apply(clean_kql)

In [None]:
df

Unnamed: 0,Input,Output,text
0,write a kql query for Detect .jse file creatio...,​\nDeviceFileEvents \n| where Timestamp > ago(...,###Human:\nwrite a kql query for Detect .jse f...
1,write a kql query for Qakbot Craigslist Domains,This query looks for network connections to do...,###Human:\nwrite a kql query for Qakbot Craigs...
2,write a kql query for Gootkit malware delivery...,"AlertInfo | where Title =~ ""Suspected delivery...",###Human:\nwrite a kql query for Gootkit malwa...
3,write a kql query for Powercat exploitation to...,DeviceProcessEvents | where FileName has_any (...,###Human:\nwrite a kql query for Powercat expl...
4,write a kql query for Connectivity Failures by...,"let TargetURLs = dynamic(['crl.microsoft.com',...",###Human:\nwrite a kql query for Connectivity ...
...,...,...,...
267,write a kql query for Deletion of data on mult...,DeviceProcessEvents\n| where Timestamp > ago(1...,###Human:\nwrite a kql query for Deletion of d...
268,write a kql query for LaZagne Credential Theft,DeviceProcessEvents \n| where FileName =~ 'reg...,###Human:\nwrite a kql query for LaZagne Crede...
269,write a kql query for File Backup Deletion Alerts,"AlertInfo\n| where Title == ""File backups were...",###Human:\nwrite a kql query for File Backup D...
270,write a kql query for IcedId attachments,"let SubjectTerms = pack_array(""RE:"",""FW:"",""FWD...",###Human:\nwrite a kql query for IcedId attach...


In [None]:
!pip install rich



In [1]:
import json

# Chargement du fichier de schéma
with open('/content/Microsoft_tables.tables.json', 'r') as file:
    schema = json.load(file)

# Extraction des noms de tables et de colonnes
schema_words = set()
for table in schema:
    schema_words.add(table['Table Name'])
    for column in table['Table Data']:
        schema_words.add(column['Column Name'])


In [None]:
from rich import print as rprint

def color_kql_query(query):
    kql_syntax = {'where', 'join', 'in', 'extend', 'project', 'summarize', 'order by', 'desc', 'and', 'by', 'contains', 'on'}
    symbols = {',', '(', ')', '[', ']', '|', '=', '>', '<', '!', '"', "'", ';'}

    words = query.split()
    colored_query = []

    for word in words:
        clean_word = word.strip(",.[]()\"';")
        if clean_word in schema_words:
            colored_query.append(f"[green]{word}[/green]")
        elif clean_word in kql_syntax:
            colored_query.append(f"[blue]{word}[/blue]")
        elif any(sym in word for sym in symbols):
            colored_query.append(f"[yellow]{word}[/yellow]")
        else:
            colored_query.append(f"[red]{word}[/red]")

    rprint(" ".join(colored_query))

# Exemple d'utilisation
query = "DeviceNetworkEvents | where RemoteUrl in ('mail.alamdarhardware.com')"
color_kql_query(query)

In [None]:
from rich.console import Console
from rich.markup import escape

def color_kql_query(query, console):
    kql_syntax = {'where', 'join', 'in', 'extend', 'project', 'summarize', 'order by', 'desc', 'and', 'by', 'contains', 'on'}
    symbols = {',', '(', ')', '[', ']', '|', '=', '>', '<', '!', '"', "'", ';'}

    words = query.split()
    colored_query = []

    for word in words:
        clean_word = word.strip(",.[]()\"';")
        if clean_word in schema_words:
            colored_query.append(f"[green]{escape(word)}[/green]")
        elif clean_word in kql_syntax:
            colored_query.append(f"[blue]{escape(word)}[/blue]")
        elif any(sym in word for sym in symbols):
            colored_query.append(f"[yellow]{escape(word)}[/yellow]")
        else:
            colored_query.append(f"[red]{escape(word)}[/red]")

    # Join the words into a single string
    result = " ".join(colored_query)
    console.print(result)  # Print with colors in the console

# Create a console object for printing
console = Console()


In [None]:
for query in df['Output']:
    color_kql_query(query, console)

In [2]:
import re

def extract_table_and_column_names(query):
    # Expression régulière pour capturer les noms de tables
    table_pattern = re.compile(r'^\s*(\w+)\s*\|', re.MULTILINE)

    # Expressions régulières pour capturer les colonnes après les mots-clés KQL
    column_patterns = [
        re.compile(r'\bwhere\s+(\w+)', re.IGNORECASE),
        re.compile(r'\bproject\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bextend\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bsummarize\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bcountif\((\w+)', re.IGNORECASE),
        re.compile(r'\bmake_list\((\w+)', re.IGNORECASE),
        re.compile(r'\border by\s+([^\|]+)', re.IGNORECASE)
    ]

    # Trouver tous les noms de tables
    tables = set(match.group(1) for match in table_pattern.finditer(query))

    # Trouver tous les noms de colonnes
    column_names = set()
    for pattern in column_patterns:
        for match in pattern.finditer(query):
            column_group = match.group(1)
            items = re.split(r',\s*', column_group)
            for item in items:
                # Exclure les valeurs littérales (valeurs entre guillemets) et capturer les noms de colonnes valides
                if not re.match(r'["\'].*["\']', item):
                    name = re.split(r'\s|=|\(|\)', item.strip())[0]
                    if name:  # Ajouter si non vide
                        column_names.add(name)

    return list(tables), list(column_names)

# Exemple d'utilisation avec la requête fournie
query = """
EntraIDLogs
| where Timestamp > ago(7d)
| where DomainName in (Domains)
| project DomainName, Timestamp, UserPrincipalName, IsLocalLogon
| union
EntraIDLogs
| where Timestamp > ago(30d)
| where DomainName in (Domains)
| project DomainName, Timestamp, UserPrincipalName, IsLocalLogon
"""
tables, columns = extract_table_and_column_names(query)
print("Tables:", tables)
print("Columns:", columns)





Tables: ['EntraIDLogs']
Columns: ['IsLocalLogon', 'UserPrincipalName', 'Timestamp', 'DomainName']


In [3]:
import json
import pandas as pd
import re

# Chemin vers le fichier JSON contenant le schéma
schema_file_path = '/content/Microsoft_tables.tables.json'
# Charger le fichier de schéma
with open(schema_file_path, 'r') as file:
    raw_schema = json.load(file)

# Transformer le schéma en un dictionnaire plus simple pour la validation
schema = {}
for table in raw_schema:
    table_name = table["Table Name"]
    columns = [column["Column Name"] for column in table["Table Data"]]
    schema[table_name] = columns

# Afficher le schéma pour vérification
print(json.dumps(schema, indent=2))

{
  "AADSignInEventsBeta": [
    "Timestamp",
    "Application",
    "ApplicationId",
    "LogonType",
    "ErrorCode",
    "CorrelationId",
    "SessionId",
    "AccountDisplayName",
    "AccountObjectId",
    "AccountUpn",
    "IsExternalUser",
    "IsGuestUser",
    "AlternateSignInName",
    "LastPasswordChangeTimestamp",
    "ResourceDisplayName",
    "ResourceId",
    "ResourceTenantId",
    "DeviceName",
    "AadDeviceId",
    "OSPlatform",
    "DeviceTrustType",
    "IsManaged",
    "IsCompliant",
    "AuthenticationProcessingDetails",
    "AuthenticationRequirement",
    "TokenIssuerType",
    "RiskLevelAggregated",
    "RiskDetails",
    "RiskState",
    "UserAgent",
    "ClientAppUsed",
    "Browser",
    "ConditionalAccessPolicies",
    "ConditionalAccessStatus",
    "IPAddress",
    "Country",
    "State",
    "City",
    "Latitude",
    "Longitude",
    "NetworkLocationDetails",
    "RequestId",
    "ReportId"
  ],
  "AADSpnSignInEventsBeta": [
    "Timestamp",
    "Appli

In [4]:
kql_functions = {
    'abs', 'acos', 'ago', 'area', 'arg_max', 'arg_min', 'array_concat', 'array_iif', 'array_length', 'array_slice',
    'array_split', 'asin', 'atan', 'atan2', 'avg', 'bag_unpack', 'base64_decode', 'base64_encode', 'base64_has', 'between',
    'bin', 'bin_at', 'btrim', 'buildschema', 'case', 'ceil', 'coalesce', 'cos', 'cot', 'count', 'countif', 'dcount',
    'dcount_hll', 'decode_json', 'degrees', 'extent_id', 'extract', 'first', 'floor', 'format_datetime', 'format_timespan',
    'geo_point_to_h3cell', 'geo_polygon_densify', 'geo_polygon_tostring', 'geo_to_h3cell', 'geo_voronoi', 'geojson_object_to_polygon',
    'geojson_tostring', 'getmonth', 'getyear', 'h3cell_area', 'h3cell_center', 'h3cell_children', 'h3cell_distance',
    'h3cell_parents', 'hash', 'hash_sha256', 'hassubstr', 'hex_encode', 'hll_merge', 'hll_raw_tostring', 'iif', 'indexof',
    'is_empty', 'isnotempty', 'json_extract', 'json_extract_array', 'json_extract_keys', 'json_extract_scalar', 'json_path_exists',
    'json_to_array', 'json_to_object', 'jaccard_index', 'kurtosis', 'left', 'len', 'line', 'log', 'log10', 'log2', 'log_gamma',
    'longest_string', 'lookup', 'make_bag', 'make_list', 'make_set', 'map', 'max', 'mean', 'median', 'min', 'mode', 'moment',
    'notempty', 'now', 'pack', 'pack_all', 'pack_array', 'percentiles', 'parse_json', 'parse_url', 'pi', 'pow', 'quantile',
    'range', 'reduce', 'render', 'reverse', 'right', 'round', 'row_number', 'samples', 'sin', 'sort', 'split', 'sqrt', 'stdev',
    'stdevp', 'strcat', 'strcat_array', 'strcat_delim', 'string_size', 'substring', 'sum', 'tangent', 'tobin', 'tolower', 'toupper',
    'tostring', 'tohex', 'totimespan', 'totimestamp', 'trace', 'trim', 'trunc', 'uniq', 'unique', 'url_decode', 'url_encode',
    'variance', 'variancep', 'wavg', 'within', 'xpath', 'zip'
}


In [5]:
def extract_table_and_column_names(query):
    table_pattern = re.compile(r'\b(\w+)\s*\|')
    column_patterns = [
        re.compile(r'\bwhere\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bproject\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bextend\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bsummarize\s+([^\|]+)', re.IGNORECASE),
        re.compile(r'\bcountif\((\w+)', re.IGNORECASE),
        re.compile(r'\bmake_list\((\w+)', re.IGNORECASE),
        re.compile(r'\border by\s+([^\|]+)', re.IGNORECASE)
    ]
    tables = set(match.group(1) for match in table_pattern.finditer(query))
    column_names = set()
    for pattern in column_patterns:
        for match in pattern.finditer(query):
            column_group = match.group(1)
            if pattern.pattern.startswith(r'\bsummarize'):
                items = re.split(r',\s*(?!\s*\w+\s*=)', column_group)
            else:
                items = re.split(r',\s*', column_group)
            for item in items:
                item = item.strip()
                if not re.match(r'["\'].*["\']', item):
                    name = re.split(r'\s|=|\(|\)|,', item.strip())[0]
                    if name and name not in kql_functions and not re.match(r'\d+[smhd]', name) and name != 'by':  # Exclure fonctions, littéraux temporels et 'by'
                        column_names.add(name)
    return list(tables), list(column_names)

In [6]:
def validate_query_against_schema(tables, columns, schema):
    invalid_tables = []
    invalid_columns = []

    for table in tables:
        if table not in schema:
            invalid_tables.append(table)
        else:
            valid_columns = schema[table]
            for column in columns:
                if column not in valid_columns:
                    invalid_columns.append(column)

    return invalid_tables, invalid_columns

In [17]:
import pandas as pd

# Chemin vers le fichier CSV
chemin_fichier_csv = '/content/data_final.csv'

# Charger les données dans un DataFrame
df = pd.read_csv(chemin_fichier_csv)

# Afficher les premières lignes du DataFrame pour vérifier
print(df.head())

                                         description  \
0  Detects the creation of a named pipe used by k...   
1  This query will break down hostnames into thei...   
2  Device Network Events Involving Low Count FQDN...   
3  This query looks for Tor client, or for a comm...   
4  This query was originally published in the thr...   

                                                 kql                  tactics  \
0  let minTimeRange = ago(7d);\n\nlet badPipeName...  ['Command and control']   
1  let LowCountThreshold = 10;\nlet MaxAge = ago(...  ['Command and control']   
2  DeviceNetworkEvents\n| where Timestamp > ago(1...  ['Command and control']   
3  DeviceNetworkEvents  \n| where Timestamp < ago...  ['Command and control']   
4  let IPs = pack_array("109.176.117.11", "5.100....  ['Command and control']   

                                          techniques  
0                     ['Application Layer Protocol']  
1                     ['Application Layer Protocol']  
2          

In [18]:
def add_invalid_names_column(df, schema):
    invalid_entries = []
    for query in df['kql']:
        tables, columns = extract_table_and_column_names(query)
        invalid_tables, invalid_columns = validate_query_against_schema(tables, columns, schema)
        invalid_entries.append({"invalid_tables": invalid_tables, "invalid_columns": invalid_columns})

    df['invalid_entries'] = invalid_entries



# Appliquer la fonction au DataFrame
add_invalid_names_column(df, schema)


In [19]:
print(df)

                                           description  \
0    Detects the creation of a named pipe used by k...   
1    This query will break down hostnames into thei...   
2    Device Network Events Involving Low Count FQDN...   
3    This query looks for Tor client, or for a comm...   
4    This query was originally published in the thr...   
..                                                 ...   
556    Threat Hunting Cisco Yanluowang Ransomware IOCs   
557                       Threat Hunting Nighthawk RAT   
558   APTNotes table that can be used to join with ...   
559   This query uses a external csv that contains ...   
560   Microsoft Threat Intelligence has identified ...   

                                                   kql  \
0    let minTimeRange = ago(7d);\n\nlet badPipeName...   
1    let LowCountThreshold = 10;\nlet MaxAge = ago(...   
2    DeviceNetworkEvents\n| where Timestamp > ago(1...   
3    DeviceNetworkEvents  \n| where Timestamp < ago...   
4    let IPs 

In [21]:
df

Unnamed: 0,description,kql,tactics,techniques,invalid_entries
0,Detects the creation of a named pipe used by k...,let minTimeRange = ago(7d);\n\nlet badPipeName...,['Command and control'],['Application Layer Protocol'],"{'invalid_tables': ['minTimeRange'], 'invalid_..."
1,This query will break down hostnames into thei...,let LowCountThreshold = 10;\nlet MaxAge = ago(...,['Command and control'],['Application Layer Protocol'],"{'invalid_tables': ['asc', 'LowCountThreshold'..."
2,Device Network Events Involving Low Count FQDN...,DeviceNetworkEvents\n| where Timestamp > ago(1...,['Command and control'],['Application Layer Protocol'],"{'invalid_tables': ['FQDN', 'asc'], 'invalid_c..."
3,"This query looks for Tor client, or for a comm...",DeviceNetworkEvents \n| where Timestamp < ago...,['Command and control'],['Proxy'],"{'invalid_tables': ['InitiatingProcessMD5'], '..."
4,This query was originally published in the thr...,"let IPs = pack_array(""109.176.117.11"", ""5.100....",['Command and control'],"['Application Layer Protocol','Ingress Tool Tr...","{'invalid_tables': [], 'invalid_columns': []}"
...,...,...,...,...,...
556,Threat Hunting Cisco Yanluowang Ransomware IOCs,// based on https://blog.talosintelligence.com...,['Initial Access'],['Valid Accounts'],"{'invalid_tables': [], 'invalid_columns': ['SH..."
557,Threat Hunting Nighthawk RAT,let NighthawkRat = dynamic(['0551ca07f05c2a827...,['Initial Access'],['Valid Accounts'],"{'invalid_tables': [], 'invalid_columns': ['Ti..."
558,APTNotes table that can be used to join with ...,"let APTInfo = externaldata(Filename: string, T...",['Initial Access'],['Valid Accounts'],"{'invalid_tables': ['APTInfo'], 'invalid_colum..."
559,This query uses a external csv that contains ...,"let APTInfo = externaldata(Filename: string, T...",['Initial Access'],['Valid Accounts'],"{'invalid_tables': ['2008', 'APTInfo'], 'inval..."


In [None]:
# Supprimer la colonne 'text'
#df.drop(columns=['text'], inplace=True)

# Filtrer les lignes où 'invalid_tables' et 'invalid_columns' sont vides
df_cleaned = df[(df['invalid_entries'].apply(lambda x: not x['invalid_tables'])) &
                (df['invalid_entries'].apply(lambda x: not x['invalid_columns']))]

In [None]:
df_cleaned

Unnamed: 0,collection_name,name,description,kql_query,tactics,matched_columns,tactics_descriptions,keywords,invalid_entries
2,EmailPostDeliveryEvents,Threat actor Phosphorus masquerading as confer...,Identify prior activity from this campaign usi...,"let MaliciousSenders = dynamic([""t20saudiarabi...",['Initial access'],"{'NetworkMessageId': {'data_type': 'string', '...",The adversary is trying to get into your network.,"filter, campaign, using, security, activity","{'invalid_tables': [], 'invalid_columns': []}"
13,DeviceLogonEvents,Events surrounding alert (2),This query looks for events that are near in t...,"let DeviceId = ""474908f457a1dc4c1fab568f808d5f...",[],"{'Timestamp': {'data_type': 'datetime', 'descr...",,"event, events, logon, filter, time","{'invalid_tables': [], 'invalid_columns': []}"
15,DeviceLogonEvents,Events surrounding alert,This query looks for events that are near in t...,"let DeviceId = ""474908f457a1dc4c1fab568f808d5f...",[],"{'Timestamp': {'data_type': 'datetime', 'descr...",,"event, events, logon, filter, time","{'invalid_tables': [], 'invalid_columns': []}"
20,DeviceLogonEvents,insider-threat-detection-queries (15),Intent:\n- Use MTP capability to look for insi...,"let StartTime = datetime(""8:00:00 AM"");\nlet E...","['Initial access', 'Persistence', 'Exfiltration']","{'Timestamp': {'data_type': 'datetime', 'descr...",The adversary is trying to get into your netwo...,"insider, indicators, risk, threat, organization","{'invalid_tables': [], 'invalid_columns': []}"
24,DeviceLogonEvents,localAdminAccountLogon,This query looks for local admin account used ...,DeviceLogonEvents\n| where IsLocalAdmin == 1\n...,[],"{'DeviceName': {'data_type': 'string', 'descri...",,"computer, logon, malicious, windows, file","{'invalid_tables': [], 'invalid_columns': []}"
...,...,...,...,...,...,...,...,...,...
749,AlertEvidence,File Backup Deletion Alerts,This query checks alerts related to file backu...,"AlertInfo\n| where Title == ""File backups were...",['Ransomware'],"{'AlertId': {'data_type': 'string', 'descripti...",,"alerts, additional, related, file, windows","{'invalid_tables': [], 'invalid_columns': []}"
757,AlertEvidence,Ransomware hits healthcare - Backup deletion,List alerts flagging attempts to delete backup...,AlertInfo\n| where Timestamp > ago(7d) \n| whe...,[],"{'Timestamp': {'data_type': 'datetime', 'descr...",,"alerts, files, windows, devices, dll","{'invalid_tables': [], 'invalid_columns': []}"
773,CloudAppEvents,Mass Downloads in the last 7 days,This query looks for mass downloads identified...,let lookback = 7d;,['Exfiltration'],{},The adversary is trying to steal data.,"set, defender, filter, events, exploit","{'invalid_tables': [], 'invalid_columns': []}"
786,IdentityQueryEvents,c2-lookup-from-nonbrowser[Nobelium] (1),This query was originally published in the thr...,"IdentityQueryEvents\n| where ActionType == ""DN...",['Command and control'],"{'Timestamp': {'data_type': 'datetime', 'descr...",The adversary is trying to communicate with co...,"nobelium, attack, software, detects, campaign","{'invalid_tables': [], 'invalid_columns': []}"


In [None]:
df_cleaned.drop(columns=['invalid_entries'], inplace=True)

A value is trying to be set on a copy of a slice from a DataFrame

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  df_cleaned.drop(columns=['invalid_entries'], inplace=True)


In [None]:
df_cleaned.drop(columns=['matched_columns','keywords'], inplace=True)

A value is trying to be set on a copy of a slice from a DataFrame

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  df_cleaned.drop(columns=['matched_columns','keywords'], inplace=True)


In [None]:
print(df_cleaned)

             collection_name  \
2    EmailPostDeliveryEvents   
13         DeviceLogonEvents   
15         DeviceLogonEvents   
20         DeviceLogonEvents   
24         DeviceLogonEvents   
..                       ...   
749            AlertEvidence   
757            AlertEvidence   
773           CloudAppEvents   
786      IdentityQueryEvents   
787      IdentityQueryEvents   

                                                  name  \
2    Threat actor Phosphorus masquerading as confer...   
13                        Events surrounding alert (2)   
15                            Events surrounding alert   
20               insider-threat-detection-queries (15)   
24                              localAdminAccountLogon   
..                                                 ...   
749                        File Backup Deletion Alerts   
757       Ransomware hits healthcare - Backup deletion   
773                  Mass Downloads in the last 7 days   
786            c2-lookup-from-nonbr

In [None]:
output_filename = "cleaned_output.csv"
df_cleaned.to_csv(output_filename, index=False)

In [None]:
import requests

# Informations du dépôt
owner = "microsoft"
repo = "Microsoft-365-Defender-Hunting-Queries"

# URL de l'API GitHub pour obtenir le contenu du dépôt
api_url = f"https://api.github.com/repos/{owner}/{repo}/contents"

# Fonction pour obtenir le contenu des fichiers d'un dossier
def get_files_from_folder(api_url):
    response = requests.get(api_url)
    files = response.json()
    file_urls = []

    for file in files:
        if file['type'] == 'file' and file['name'].endswith(('.md', '.kql', '.txt')):
            file_urls.append(file['download_url'])
        elif file['type'] == 'dir':
            # Si c'est un dossier, récursive sur ce dossier
            file_urls += get_files_from_folder(file['url'])

    return file_urls

# Obtenir la liste des fichiers pertinents
kql_files = get_files_from_folder(api_url)

# Afficher les fichiers trouvés
print(f"Found {len(kql_files)} KQL files.")
for file in kql_files:
    print(file)


[]

In [None]:
import os
import pandas as pd
from bs4 import BeautifulSoup

# Fonction pour extraire les requêtes KQL et leurs descriptions à partir du contenu markdown
def extract_kql_queries_from_md(md_content):
    queries = []
    current_description = []
    in_query = False

    for line in md_content.split('\n'):
        if line.startswith("```"):
            in_query = not in_query
            if not in_query:  # This means we're at the end of a query block
                queries.append((" ".join(current_description), kql_query.strip()))
                current_description = []
            else:
                kql_query = ""
        elif in_query:
            kql_query += line + '\n'
        elif line.strip():
            current_description.append(line.strip())

    return queries

# Chemin du dépôt local (à ajuster selon votre configuration)
repo_local_path = "/content/data"

# Parcourir tous les fichiers .md dans les sous-dossiers du dépôt
kql_queries = []

for root, dirs, files in os.walk(repo_local_path):
    for file in files:
        if file.endswith(".md"):
            file_path = os.path.join(root, file)
            with open(file_path, 'r', encoding='utf-8') as f:
                md_content = f.read()
                queries = extract_kql_queries_from_md(md_content)
                kql_queries.extend(queries)

# Créer une DataFrame à partir des requêtes extraites
df_kql_queries = pd.DataFrame(kql_queries, columns=["Description", "KQL Query"])

# Afficher les premières lignes du DataFrame
print(df_kql_queries.head(10))


                                         Description  \
0  # Devices with vulnerability // Author: jan ge...   
1                                                      
2  # RunDLL Suspicious Network Connections During...   

                                           KQL Query  
0  let all_computers_with_vlcvln=\nDeviceTvmSoftw...  
1  // 1.\tA list of all devices that have this vu...  
2  DeviceNetworkEvents\n| where InitiatingProcess...  


In [None]:
df_kql_queries

Unnamed: 0,Description,KQL Query
0,# Devices with vulnerability // Author: jan ge...,let all_computers_with_vlcvln=\nDeviceTvmSoftw...
1,,// 1.\tA list of all devices that have this vu...
2,# RunDLL Suspicious Network Connections During...,DeviceNetworkEvents\n| where InitiatingProcess...


In [None]:
import pandas as pd

# Chemin vers le fichier CSV
chemin_fichier_csv = '/content/datayes.csv'

# Charger les données dans un DataFrame
df1 = pd.read_csv(chemin_fichier_csv)


In [None]:
df1.describe

In [None]:
df1

Unnamed: 0,Description,KQL Query
0,# Abuse.ch Recent Threat Feed This query will ...,let MaxAge = ago(1d);\nlet AbuseFeed = materia...
1,...or if you don't care about the details from...,let MaxAge = ago(1d);\nlet AbuseFeed = toscala...
2,# Locate Nobelium implant receiving DNS respon...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
3,# Locate Nobelium implant receiving DNS respon...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
4,# Detect Cobalt Strike invoked via WMI This qu...,// Find use of Base64 encoded PowerShell\n// I...
...,...,...
267,# Turning off System Restore This query identi...,DeviceProcessEvents\n//Pivoting for rundll32 ...
268,# Connectivity Failures by Device This query c...,"let TargetURLs = dynamic(['crl.microsoft.com',..."
269,# Connectivity Failures by Domain This query i...,let TargetURLs = dynamic(['winatp-gw-cus.micro...
270,# Devices with vulnerability // Author: jan ge...,let all_computers_with_vlcvln=\nDeviceTvmSoftw...


In [None]:
import re


# Fonction pour nettoyer les descriptions
def clean_description(description):
    # Remove "## Query" and "##" if present
    description = re.sub(r'## Query', '', description)
    description = re.sub(r'##', '', description)

    # Remove URLs
    description = re.sub(r'http\S+', '', description)

    # Remove links in Markdown format
    description = re.sub(r'\[.*?\]\(.*?\)', '', description)

    # Remove extra whitespace
    description = re.sub(r'\s+', ' ', description).strip()

    # Remove all non-alphanumeric characters except spaces
    description = re.sub(r'[^a-zA-Z0-9\s]', '', description)

    # Convert to lowercase
    description = description.lower()

    return description

In [None]:
# Convertir toutes les valeurs de la colonne 'Description' en chaînes
df1['Description'] = df1['Description'].astype(str)

# Appliquer la fonction de nettoyage sur la colonne 'Description'
df1['Description'] = df1['Description'].apply(clean_description)

In [None]:
print(df1)

                                           Description  \
0     abusech recent threat feed this query will hu...   
1    or if you dont care about the details from mal...   
2     locate nobelium implant receiving dns respons...   
3     locate nobelium implant receiving dns respons...   
4     detect cobalt strike invoked via wmi this que...   
..                                                 ...   
267   turning off system restore this query identif...   
268   connectivity failures by device this query ch...   
269   connectivity failures by domain this query is...   
270   devices with vulnerability  author jan geisba...   
271                                                nan   

                                             KQL Query  
0    let MaxAge = ago(1d);\nlet AbuseFeed = materia...  
1    let MaxAge = ago(1d);\nlet AbuseFeed = toscala...  
2    DeviceEvents\n| where ActionType == "DnsQueryR...  
3    DeviceEvents\n| where ActionType == "DnsQueryR...  
4    // Find use o

In [None]:
df_cleaned2 = df1.dropna()




In [None]:
df_cleaned2

Unnamed: 0,Description,KQL Query
0,abusech recent threat feed this query will hu...,let MaxAge = ago(1d);\nlet AbuseFeed = materia...
1,or if you dont care about the details from mal...,let MaxAge = ago(1d);\nlet AbuseFeed = toscala...
2,locate nobelium implant receiving dns respons...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
3,locate nobelium implant receiving dns respons...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
4,detect cobalt strike invoked via wmi this que...,// Find use of Base64 encoded PowerShell\n// I...
...,...,...
267,turning off system restore this query identif...,DeviceProcessEvents\n//Pivoting for rundll32 ...
268,connectivity failures by device this query ch...,"let TargetURLs = dynamic(['crl.microsoft.com',..."
269,connectivity failures by domain this query is...,let TargetURLs = dynamic(['winatp-gw-cus.micro...
270,devices with vulnerability author jan geisba...,let all_computers_with_vlcvln=\nDeviceTvmSoftw...


In [None]:
output_filename = "cleaned_output2.csv"
df_cleaned2.to_csv(output_filename, index=False)

In [None]:
def rename_columns(df1, df2):

    # Rename columns to 'Input' and 'KQL Query'
    df1.columns = ['Input', 'KQL Query']
    df2.columns = ['Input', 'KQL Query']

    return df1, df2


# Rename the columns
df_cleaned,df_cleaned2 = rename_columns(df_cleaned, df_cleaned2)











In [None]:
df_cleaned

Unnamed: 0,Input,KQL Query
0,write a kql query for Detect .jse file creatio...,​\nDeviceFileEvents \n| where Timestamp > ago(...
1,write a kql query for Qakbot Craigslist Domains,This query looks for network connections to do...
3,write a kql query for Powercat exploitation to...,DeviceProcessEvents | where FileName has_any (...
7,write a kql query for Check for ShadowHammer-r...,DeviceNetworkEvents \n| where Timestamp > ago(...
11,write a kql query for Detect command-and-contr...,"let IPs = pack_array(""109.176.117.11"", ""5.100...."
...,...,...
260,write a kql query forSuspicious Image Load rel...,DeviceImageLoadEvents \n| where InitiatingProc...
266,write a kql query for HTA startup persistence,DeviceFileEvents\n| where FolderPath contains ...
268,write a kql query for LaZagne Credential Theft,DeviceProcessEvents \n| where FileName =~ 'reg...
269,write a kql query for File Backup Deletion Alerts,"AlertInfo\n| where Title == ""File backups were..."


In [None]:
df_cleaned2

Unnamed: 0,Input,KQL Query
0,abusech recent threat feed this query will hu...,let MaxAge = ago(1d);\nlet AbuseFeed = materia...
1,or if you dont care about the details from mal...,let MaxAge = ago(1d);\nlet AbuseFeed = toscala...
2,locate nobelium implant receiving dns respons...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
3,locate nobelium implant receiving dns respons...,"DeviceEvents\n| where ActionType == ""DnsQueryR..."
4,detect cobalt strike invoked via wmi this que...,// Find use of Base64 encoded PowerShell\n// I...
...,...,...
267,turning off system restore this query identif...,DeviceProcessEvents\n//Pivoting for rundll32 ...
268,connectivity failures by device this query ch...,"let TargetURLs = dynamic(['crl.microsoft.com',..."
269,connectivity failures by domain this query is...,let TargetURLs = dynamic(['winatp-gw-cus.micro...
270,devices with vulnerability author jan geisba...,let all_computers_with_vlcvln=\nDeviceTvmSoftw...


In [None]:
concatenated_df = pd.concat([df_cleaned, df_cleaned2], ignore_index=True)

In [None]:
concatenated_df

Unnamed: 0,Input,KQL Query
0,write a kql query for Detect .jse file creatio...,​\nDeviceFileEvents \n| where Timestamp > ago(...
1,write a kql query for Qakbot Craigslist Domains,This query looks for network connections to do...
2,write a kql query for Powercat exploitation to...,DeviceProcessEvents | where FileName has_any (...
3,write a kql query for Check for ShadowHammer-r...,DeviceNetworkEvents \n| where Timestamp > ago(...
4,write a kql query for Detect command-and-contr...,"let IPs = pack_array(""109.176.117.11"", ""5.100...."
...,...,...
396,turning off system restore this query identif...,DeviceProcessEvents\n//Pivoting for rundll32 ...
397,connectivity failures by device this query ch...,"let TargetURLs = dynamic(['crl.microsoft.com',..."
398,connectivity failures by domain this query is...,let TargetURLs = dynamic(['winatp-gw-cus.micro...
399,devices with vulnerability author jan geisba...,let all_computers_with_vlcvln=\nDeviceTvmSoftw...


In [None]:
concatenated_df.to_csv('/content/concatenated_output.csv', index=False)

In [None]:
!pip install rouge_score

Collecting rouge_score
  Downloading rouge_score-0.1.2.tar.gz (17 kB)
  Preparing metadata (setup.py) ... [?25l[?25hdone
Building wheels for collected packages: rouge_score
  Building wheel for rouge_score (setup.py) ... [?25l[?25hdone
  Created wheel for rouge_score: filename=rouge_score-0.1.2-py3-none-any.whl size=24933 sha256=565db63bbb0bbb0d1a8689165e3aabd3f3be4b1ef190618965b370db5b30395e
  Stored in directory: /root/.cache/pip/wheels/5f/dd/89/461065a73be61a532ff8599a28e9beef17985c9e9c31e541b4
Successfully built rouge_score
Installing collected packages: rouge_score
Successfully installed rouge_score-0.1.2


In [None]:
from rouge_score import rouge_scorer

def calculate_rouge_scores(references, predictions):
    scorer = rouge_scorer.RougeScorer(['rouge1', 'rouge2', 'rougeL'], use_stemmer=True)
    scores = {'rouge1': [], 'rouge2': [], 'rougeL': []}

    for ref, pred in zip(references, predictions):
        score = scorer.score(ref, pred)
        scores['rouge1'].append(score['rouge1'].fmeasure)
        scores['rouge2'].append(score['rouge2'].fmeasure)
        scores['rougeL'].append(score['rougeL'].fmeasure)

    avg_scores = {metric: sum(values) / len(values) for metric, values in scores.items()}
    return avg_scores

def evaluate_model(references, predictions):
    scores = calculate_rouge_scores(references, predictions)
    print(f"ROUGE-1 F1 Score: {scores['rouge1']:.4f}")
    print(f"ROUGE-2 F1 Score: {scores['rouge2']:.4f}")
    print(f"ROUGE-L F1 Score: {scores['rougeL']:.4f}")

# Example usage:
references = [
    "let BlacklistedApps = dynamic(['app1', 'app2', 'app3']);  // Replace with actual blacklisted app names or IDs let BlacklistedUsers = dynamic(['user1@example.com', 'user2@example.com']);  // Replace with actual blacklisted user identifiers'let TimeWindow = 30m; DeviceNetworkEvents| where TimeGenerated > ago(1d)| where (Application in (BlacklistedApps) or Account in (BlacklistedUsers))| summarize ConnectionCount = count() by bin(TimeGenerated, TimeWindow), Application, Account| where ConnectionCount > 100| project TimeGenerated, Application, Account, ConnectionCount"
]

predictions = [
    "AlertInfo| where Timestamp > ago(30d) | where RemoteIPConnectionCount > 100| where RemoteIPFileName matches regex apply switchever '|' | project Timestamp, RemoteIP, RemoteIPFileName, RemoteIPCountry, DeviceName, AccountSid, AppId, RemoteIPState, RemoteIPClientType, RemoteIPClientVersion | join kind=inner (DeviceAppEvents| where Timestamp > ago(30d)µ where DeviceName == DeviceName and Action == RemoteIPConnection| project Timestamp, DeviceId, DeviceName, Action, AppId, AccountSid, RemoteIP, RemoteIPCountry, RemoteIPState, RemoteIPClientType, RemoteIPClientVersion ) on DeviceId "
]

evaluate_model(references, predictions)


ROUGE-1 F1 Score: 0.1043
ROUGE-2 F1 Score: 0.0000
ROUGE-L F1 Score: 0.0870


In [None]:
from nltk.translate.bleu_score import sentence_bleu, SmoothingFunction

def calculate_bleu_scores(references, predictions):
    bleu_scores = []
    for ref, pred in zip(references, predictions):
        ref_tokens = [ref.split()]
        pred_tokens = pred.split()
        score = sentence_bleu(ref_tokens, pred_tokens, smoothing_function=SmoothingFunction().method1)
        bleu_scores.append(score)
    avg_bleu = sum(bleu_scores) / len(bleu_scores)
    return avg_bleu

def evaluate_model_bleu(references, predictions):
    bleu_score = calculate_bleu_scores(references, predictions)
    print(f"BLEU Score: {bleu_score:.4f}")

# Example usage:
evaluate_model_bleu(references, predictions)

BLEU Score: 0.0086


In [None]:
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.metrics.pairwise import cosine_similarity

def calculate_cosine_similarity(references, predictions):
    vectorizer = TfidfVectorizer().fit_transform(references + predictions)
    vectors = vectorizer.toarray()
    ref_vectors = vectors[:len(references)]
    pred_vectors = vectors[len(references):]

    cosine_similarities = []
    for ref_vec, pred_vec in zip(ref_vectors, pred_vectors):
        cosine_sim = cosine_similarity([ref_vec], [pred_vec])[0][0]
        cosine_similarities.append(cosine_sim)

    avg_cosine_similarity = sum(cosine_similarities) / len(cosine_similarities)
    return avg_cosine_similarity

def evaluate_model_cosine(references, predictions):
    cosine_score = calculate_cosine_similarity(references, predictions)
    print(f"Cosine Similarity: {cosine_score:.4f}")

# Example usage:
evaluate_model_cosine(references, predictions)


Cosine Similarity: 0.0912


In [None]:
import pandas as pd
import json

def optimize_schema_to_csv(json_file, output_csv):
    # Load the JSON data from a file
    with open(json_file, 'r') as file:
        data = json.load(file)

    # Create a list to store the processed rows
    rows = []

    # Process each table
    for table in data:
        table_name = table["Table Name"]
        table_description = table["Description"]
        for column in table["Table Data"]:
            rows.append({
                "Table Name": table_name,
                "Table Description": table_description,
                "Column Name": column["Column Name"],
                "Data Type": column["Data Type"],
                "Column Description": column["Description"]
            })

    # Convert the list of rows into a DataFrame
    df = pd.DataFrame(rows)

    # Save the DataFrame to a CSV file
    df.to_csv(output_csv, index=False)

    return df

# Example usage
json_file = '/content/Microsoft_tables.tables.json'
output_csv = 'optimized_schema.csv'
df = optimize_schema_to_csv(json_file, output_csv)
print(df.head())


            Table Name                                  Table Description  \
0  AADSignInEventsBeta  Microsoft Entra interactive and non-interactiv...   
1  AADSignInEventsBeta  Microsoft Entra interactive and non-interactiv...   
2  AADSignInEventsBeta  Microsoft Entra interactive and non-interactiv...   
3  AADSignInEventsBeta  Microsoft Entra interactive and non-interactiv...   
4  AADSignInEventsBeta  Microsoft Entra interactive and non-interactiv...   

     Column Name Data Type                                 Column Description  
0      Timestamp  datetime        Date and time when the record was generated  
1    Application    string     Application that performed the recorded action  
2  ApplicationId    string              Unique identifier for the application  
3      LogonType    string  Type of logon session, specifically interactiv...  
4      ErrorCode       int  Contains the error code if a sign-in error occ...  


In [None]:
df

Unnamed: 0,Table Name,Table Description,Column Name,Data Type,Column Description
0,AADSignInEventsBeta,Microsoft Entra interactive and non-interactiv...,Timestamp,datetime,Date and time when the record was generated
1,AADSignInEventsBeta,Microsoft Entra interactive and non-interactiv...,Application,string,Application that performed the recorded action
2,AADSignInEventsBeta,Microsoft Entra interactive and non-interactiv...,ApplicationId,string,Unique identifier for the application
3,AADSignInEventsBeta,Microsoft Entra interactive and non-interactiv...,LogonType,string,"Type of logon session, specifically interactiv..."
4,AADSignInEventsBeta,Microsoft Entra interactive and non-interactiv...,ErrorCode,int,Contains the error code if a sign-in error occ...
...,...,...,...,...,...
877,UrlClickEvents,"Safe Links clicks from email messages, Teams, ...",DetectionMethods,string,Detection technology that was used to identify...
878,UrlClickEvents,"Safe Links clicks from email messages, Teams, ...",IPAddress,string,Public IP address of the device from which the...
879,UrlClickEvents,"Safe Links clicks from email messages, Teams, ...",IsClickedThrough,bool,Indicates whether the user was able to click t...
880,UrlClickEvents,"Safe Links clicks from email messages, Teams, ...",UrlChain,string,"For scenarios involving redirections, it inclu..."


In [None]:
import pandas as pd
import json

def optimize_schema_to_csv(json_file, output_csv):
    # Load the JSON data from a file
    with open(json_file, 'r') as file:
        data = json.load(file)

    # Create lists to store the processed rows
    table_rows = []
    column_rows = []

    # Process each table
    for table in data:
        table_name = table["Table Name"]
        table_description = table["Description"]
        table_rows.append({
            "Table Name": table_name,
            "Table Description": table_description
        })
        for column in table["Table Data"]:
            column_rows.append({
                "Table Name": table_name,
                "Column Name": column["Column Name"],
                "Data Type": column["Data Type"],
                "Column Description": column["Description"]
            })

    # Convert the lists into DataFrames
    table_df = pd.DataFrame(table_rows).drop_duplicates()
    column_df = pd.DataFrame(column_rows)

    # Merge the two DataFrames on "Table Name"
    optimized_df = column_df.merge(table_df, on="Table Name")

    # Save the optimized DataFrame to a CSV file
    optimized_df.to_csv(output_csv, index=False)

    return optimized_df

# Example usage
json_file = '/content/Microsoft_tables.tables.json'
output_csv = 'optimized_schema2.csv'
df = optimize_schema_to_csv(json_file, output_csv)
print(df.head())


            Table Name    Column Name Data Type  \
0  AADSignInEventsBeta      Timestamp  datetime   
1  AADSignInEventsBeta    Application    string   
2  AADSignInEventsBeta  ApplicationId    string   
3  AADSignInEventsBeta      LogonType    string   
4  AADSignInEventsBeta      ErrorCode       int   

                                  Column Description  \
0        Date and time when the record was generated   
1     Application that performed the recorded action   
2              Unique identifier for the application   
3  Type of logon session, specifically interactiv...   
4  Contains the error code if a sign-in error occ...   

                                   Table Description  
0  Microsoft Entra interactive and non-interactiv...  
1  Microsoft Entra interactive and non-interactiv...  
2  Microsoft Entra interactive and non-interactiv...  
3  Microsoft Entra interactive and non-interactiv...  
4  Microsoft Entra interactive and non-interactiv...  


In [None]:
df

Unnamed: 0,Table Name,Column Name,Data Type,Column Description,Table Description
0,AADSignInEventsBeta,Timestamp,datetime,Date and time when the record was generated,Microsoft Entra interactive and non-interactiv...
1,AADSignInEventsBeta,Application,string,Application that performed the recorded action,Microsoft Entra interactive and non-interactiv...
2,AADSignInEventsBeta,ApplicationId,string,Unique identifier for the application,Microsoft Entra interactive and non-interactiv...
3,AADSignInEventsBeta,LogonType,string,"Type of logon session, specifically interactiv...",Microsoft Entra interactive and non-interactiv...
4,AADSignInEventsBeta,ErrorCode,int,Contains the error code if a sign-in error occ...,Microsoft Entra interactive and non-interactiv...
...,...,...,...,...,...
877,UrlClickEvents,DetectionMethods,string,Detection technology that was used to identify...,"Safe Links clicks from email messages, Teams, ..."
878,UrlClickEvents,IPAddress,string,Public IP address of the device from which the...,"Safe Links clicks from email messages, Teams, ..."
879,UrlClickEvents,IsClickedThrough,bool,Indicates whether the user was able to click t...,"Safe Links clicks from email messages, Teams, ..."
880,UrlClickEvents,UrlChain,string,"For scenarios involving redirections, it inclu...","Safe Links clicks from email messages, Teams, ..."


In [None]:
nn je veux modifier les nom des colonne