# Firewall Log Analysis
Analyzes firewall logs.

---
## Data Load and Preparation
Import the CSV file.  Expected columns:

- timestamp: ISO 8601
- source IP
- destination IP
- destination port
- transport layer protocol

In [None]:
#@title Upload
from os import rename
from google.colab import files

import pandas as pd

LOGS = 'logs.csv'

print('Select and upload the firewall logs')
uploaded = files.upload()
rename(list(uploaded.keys())[0], f'{LOGS}')
print('🟢 Logs uploaded successfuly')

df = pd.DataFrame(pd.read_csv(LOGS))
df['timestamp'] = pd.to_datetime(df['timestamp'])
print('🟢 Data loaded successfuly')

---
## Analysis

In [None]:
#@title General Analysis

from dateutil import tz
from IPython.display import display, Markdown


display(Markdown(f'''
### 🧮 Number of Connections (logs)
`{len(df.index)}`

### ⏱️ First Event\'s Timestamp
`{df['timestamp'].iloc[0].astimezone(tz.tzlocal())}`

### ⏱️ Time Range
`{(df['timestamp'].iloc[-1]-df['timestamp'].iloc[0]).total_seconds()}` seconds

### ⬆️ Source IPs ({df['udm.principal.ip'].nunique()})
`{sorted(df['udm.principal.ip'].unique())}`

### ⬇️ Destination IPs ({df['udm.target.ip'].nunique()})
`{sorted(df['udm.target.ip'].unique())}`

### 🚪 Destination Ports ({df['udm.target.port'].nunique()})
`{sorted(df['udm.target.port'].unique())}`

### 📡 Protocols ({df['udm.network.ip_protocol'].nunique()})
`{sorted(df['udm.network.ip_protocol'].unique())}`
'''))

In [None]:
#@title Destination Port Distribution

df['udm.target.port'].value_counts(ascending=False).head(10).plot(kind='pie', title='Top 10 Destination Ports') #, style='.-')

In [None]:
#@title Destination IP Distribution

df['udm.target.ip'].value_counts(ascending=False).head(10).plot(kind='pie', title='Top 10 Destination IPs')