In [1]:
#!csharp
Console.WriteLine("C# Kernel is working!");

C# Kernel is working!


In [2]:
#!import config/Settings.cs

In [3]:
// Configure AI backend used by the kernel
var (useAzureOpenAI, model, azureEndpoint, apiKey, orgId) = Settings.LoadFromFile();

## LLM Setup

In [4]:
#r "nuget: Azure.AI.OpenAI"
#r "nuget: Azure.Identity"
#r "nuget: System.Data.SQLite.Core, 1.0.113.6"
#r "nuget: Microsoft.Data.Analysis"
#r "nuget: EPPlus, 5.8.3"

Loading extensions from `C:\Users\tamaragaidar\.nuget\packages\microsoft.data.analysis\0.22.2\interactive-extensions\dotnet\Microsoft.Data.Analysis.Interactive.dll`

First things first, we need to make sure that we can connect to an OpenAI endpoint. You can do this with the OpenAI library and call either the OpenAI API or an Azure OpenAI endpoint. The key difference is that the AOAI endpoint requires additional configuration parameters which you will see below. Once we set these values, they can be used elsewhere in the notebook without needing to remember the values.

In [5]:
using System;
using System.Reflection;
using Azure;
using Azure.Identity;
using OpenAI.Assistants;
using Azure.AI.OpenAI;
using OpenAI.Chat;
using static System.Environment;

In [6]:
//get the endpoint from the environment variable with AI backend used by the kernel
var (useAzureOpenAI, model, endpoint, apiKey, orgId) = Settings.LoadFromFile();
// Use the recommended keyless credential instead of the AzureKeyCredential credential.
AzureOpenAIClient openAIClient = new AzureOpenAIClient(new Uri(endpoint), new DefaultAzureCredential()); 

// This must match the custom deployment name you chose for your model
ChatClient chatClient = openAIClient.GetChatClient("gpt-4o");

var chatUpdates = chatClient.CompleteChatStreamingAsync(
    [
        //This the system prompt
        new SystemChatMessage("You are a helpful assistant that talks like a pirate."),
    ]);

Now we can test our model by calling it with a simple prompt. Maybe ask the model to tell you a joke!

Once you get your response, look carefully at the structure of what is returned. Feel free to play around here and test out various prompts.

In [7]:
var response = await chatClient.CompleteChatAsync(
    [   // This is the user prompt
        new UserChatMessage("Tell me a short joke?")
    ]);

In [8]:
// Print output
response

We can grab any of these dictionary values with **dot notation** on our response. For example, if we wanted to grab ID of our message for logging, we can use the following line:

```
string tokens = response.Value.Id
```

For example, if we wanted to grab the number of tokens used (for billing calculation) we can use the following line:

```
response.Value.Usage.TotalTokenCount
```

In the text below, grab the response's content for the plain text of our LLM's response

In [9]:
foreach (var message in response.Value.Content)
{
    Console.WriteLine(message.Text);
}

Why don't skeletons fight each other? They don't have the guts!


In [10]:
// Access and print token usage metadata
if (response.Value.Usage != null)
{
    Console.WriteLine("\nTokens Used:");
    Console.WriteLine($"Total Tokens: {response.Value.Usage.TotalTokenCount}");
    Console.WriteLine($"Prompt Tokens: {response.Value.Usage.OutputTokenCount}");
    Console.WriteLine($"Input Tokens: {response.Value.Usage.InputTokenCount}");
}


Tokens Used:
Total Tokens: 28
Prompt Tokens: 15
Input Tokens: 13


## Image Generation

Now that we've configured our LLM, let's configure image generation. In this notebook, we will be using OpenAI's image generator, Dall-E 3

To set ourselves up later for success, we will break out our image call into a function. This function sets up for calls to the model much like an LLM, but slightly different. At a low level (raw API Calls), image generation calls are fairly simple with few parameters outside of the prompt itself. The model creates an image which is stored in Azure blob storage. We will display the image within the notebook for simplicity.

In [11]:
var prompt = "A futuristic city on Mars at sunset";
var imageResponse = openAIClient.GetImageClient("dall-e-3").GenerateImage(prompt);
Console.WriteLine($"Image URL: {imageResponse.Value.ImageUri}");

Image URL: https://dalleprodaue.blob.core.windows.net/private/images/656b42c0-299a-4e6a-b9ee-5ef2a5b9003f/generated_00.png?se=2025-05-07T11%3A09%3A28Z&sig=Jimc9rgfnrxcCRAaxv1%2BpcTvFnuRZrUqXrqBVlSd4hY%3D&ske=2025-05-13T00%3A50%3A28Z&skoid=f4f58869-78fa-4857-8a87-4ce5ae4ba8c3&sks=b&skt=2025-05-06T00%3A50%3A28Z&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skv=2020-10-02&sp=r&spr=https&sr=b&sv=2020-10-02


With the function declared, let's try it out! Make the prompt anything you want below. This is a good opportunity to play with image generation prompts to get a better feel for the system. Learnings from this section can directly translate to better engineered prompts within your agentic system, since you can help the LLM agent learn how you prefer to prompt image generation tools.

## Getting top threat actors from incidents

Now let's add a a possibility for our agent to query SQLite to get the top threat actors from recent incidents.

We can extract threat actor names from recent MTP incidents and summarize the distinct count of impacted orgs by actor name.

We'll set in memory data base and simulate insident data into it.

First we need a basic function to query SQLite.

In [12]:
#r "nuget: Microsoft.Data.Sqlite"

In [13]:
using System.Data;
using System.Data.SQLite;
using System.Collections.Generic;
#!import config/InMemoryDatabase.cs

In [14]:
DataTable RunQueryToDataTable(string sqlQuery, SQLiteConnection conn)
{
    var dataTable = new DataTable();

    using (var cmd = conn.CreateCommand())
    {
        cmd.CommandText = sqlQuery;
        using (var adapter = new SQLiteDataAdapter(cmd))
        {
            adapter.Fill(dataTable);
        }
    }
    return dataTable;
}

In [15]:
var sql = "SELECT IncidentTitle, COUNT(DISTINCT OrgId) as OrgCount " +
          "FROM Alerts " +
          "WHERE IncidentSeverity = 'High' " +
          "GROUP BY IncidentTitle " +
          "ORDER BY OrgCount DESC " +
          "LIMIT 25;";

var connectionString = "Data Source=:memory:;Version=3;New=True;";

var result = RunQueryToDataTable(sql, conn);
result.Rows[0]

Lets extract the following data from the above table:

Filter by time (lookback)

Look for incident titles that contain "actor group" or "activity group"

Extract threat actor names via regex

Count how many unique OrgIds are associated with each actor

Return the top 25 actors sorted by number of affected orgs

In [16]:
// Define your lookback and regex pattern variables.
var lookback = "-1 day";  // adjust as needed, e.g., "-6 hours", "-30 minutes"

// Define the query string using an interpolated verbatim string literal.
var query = $@"
SELECT OrgId, IncidentTitle
FROM Alerts
WHERE Time > datetime('now', '{lookback}')
  AND IncidentSeverity = 'High'
  AND (
        LOWER(IncidentTitle) LIKE '%actor group%' 
     OR LOWER(IncidentTitle) LIKE '%activity group%'
  );
";
// Now run the query using your helper function.
var result = RunQueryToDataTable(query, conn);

In [17]:
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
using Microsoft.Data.Analysis;

// Define your regex pattern
var regexPattern = @"((?:[A-Z][a-z]+\s[A-Z][a-z]+)|(?:Storm-\d+))";
var regex = new Regex(regexPattern, RegexOptions.Compiled);

// Dictionary to map each threat actor to a set of unique OrgIds
Dictionary<string, HashSet<string>> actorToOrgs = new Dictionary<string, HashSet<string>>();

// Loop through DataTable rows
foreach (DataRow row in result.Rows)
{
    string orgId = row["OrgId"]?.ToString() ?? "";
    string incidentTitle = row["IncidentTitle"]?.ToString() ?? "";

    var match = regex.Match(incidentTitle);
    if (match.Success)
    {
        string threatActor = match.Groups[1].Value;

        if (!actorToOrgs.ContainsKey(threatActor))
            actorToOrgs[threatActor] = new HashSet<string>();

        actorToOrgs[threatActor].Add(orgId);
    }
}

// Take top 15 by unique OrgId count
var top15 = actorToOrgs
    .OrderByDescending(pair => pair.Value.Count)
    .Take(15)
    .ToList();

// Initialize empty columns (no pre-defined length!)
var actorColumn = new StringDataFrameColumn("ThreatActor");
var orgCountColumn = new Int32DataFrameColumn("UniqueOrgCount");

// Append actual data
foreach (var pair in top15)
{
    actorColumn.Append(pair.Key);
    orgCountColumn.Append(pair.Value.Count);
}

// Create DataFrame
var df = new DataFrame();
df.Columns.Add(actorColumn);
df.Columns.Add(orgCountColumn);

In [18]:
df

index,ThreatActor,UniqueOrgCount
0,Sangria Tempest,2
1,Hazel Sandstorm,2
2,Lace Tempest,2
3,Midnight Blizzard,2
4,Storm-0555,1
5,Storm-0904,1
6,Periwinkle Tempest,1
7,Storm-0335,1


In [19]:
using System.Net.Http;
using System.IO;
using System.Threading.Tasks;
using System.Collections.Generic;
using OfficeOpenXml;

In [20]:
//Download excel file
var url = "https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx";
HttpClient client = new HttpClient();
byte[] bytes = await client.GetByteArrayAsync(url);
Console.WriteLine("Downloaded Excel file with size: " + bytes.Length);

Downloaded Excel file with size: 24181


In [21]:
//Read and Parse Worksheet
MemoryStream stream = new MemoryStream(bytes);
ExcelPackage package = new ExcelPackage(stream);
var worksheet = package.Workbook.Worksheets[0];
Console.WriteLine("Loaded worksheet: " + worksheet.Name);

Loaded worksheet: Microsoft threat actor list


In [22]:
//Printing a few rows and columns from the worksheet
Console.WriteLine("Printing a few rows and columns from the worksheet:");
Console.WriteLine("Index, Threat actor name, Origin/Threat actor category, Other names");
for (int row = 3; row <= 5; row++)
{
    Console.WriteLine($"{row}: {worksheet.Cells[row, 2].Text}, {worksheet.Cells[row, 3].Text}, {worksheet.Cells[row, 4].Text}");
}

Printing a few rows and columns from the worksheet:
Index, Threat actor name, Origin/Threat actor category, Other names
3: Amethyst Rain, Lebanon, Volatile Cedar
4: Antique Typhoon, China, Storm-0558
5: Aqua Blizzard, Russia, ACTINIUM, Gamaredon, Armageddon, UNC530, shuckworm, SectorC08, Primitive Bear


In [23]:
//Build Lookup Dictionary
Dictionary<string, (string OriginCategory, string OtherNames)> threatActorNameDict = new();

for (int row = 2; row <= worksheet.Dimension.End.Row; row++)
{
    var actorName = worksheet.Cells[row, 2].Text.Trim();
    var originCategory = worksheet.Cells[row, 3].Text.Trim();
    var otherNames = worksheet.Cells[row, 4].Text.Trim();

    if (!string.IsNullOrWhiteSpace(actorName))
    {
        threatActorNameDict[actorName] = (originCategory, otherNames);
    }
}
Console.WriteLine($"Extracted metadata for {threatActorNameDict.Count} actors.");

Extracted metadata for 131 actors.


In [24]:
threatActorNameDict["Amethyst Rain"] // Example lookup

Unnamed: 0,Unnamed: 1
Item1,Lebanon
Item2,Volatile Cedar


In [25]:
// undate the data DataFrame
// Add new columns
var originColumn = new StringDataFrameColumn("Origin/Threat actor category");
var otherNamesColumn = new StringDataFrameColumn("Other names");

// Match against ThreatActor and populate new columns
for (int i = 0; i < df.Rows.Count; i++)
{
    var actorName = df["ThreatActor"][i]?.ToString();

    if (!string.IsNullOrWhiteSpace(actorName) && threatActorNameDict.TryGetValue(actorName, out var metadata))
    {
        originColumn.Append(metadata.OriginCategory);
        otherNamesColumn.Append(metadata.OtherNames);
    }
    else
    // If no match found, append null or empty string
    {
        originColumn.Append(null);
        otherNamesColumn.Append(null);
    }
}
// Add the populated columns to the DataFrame
df.Columns.Add(originColumn);
df.Columns.Add(otherNamesColumn);

In [26]:
df

index,ThreatActor,UniqueOrgCount,Origin/Threat actor category,Other names
0,Sangria Tempest,2,"Ukraine, Financially motivated",ELBRUS
1,Hazel Sandstorm,2,Iran,"EUROPIUM, COLBALT GYPSY, Crambus, OilRig, APT34"
2,Lace Tempest,2,Financially motivated,DEV-0950
3,Midnight Blizzard,2,Russia,"NOBELIUM, UNC2452, APT29, Cozy Bear"
4,Storm-0555,1,<null>,<null>
5,Storm-0904,1,<null>,<null>
6,Periwinkle Tempest,1,Russia,DEV-0193
7,Storm-0335,1,<null>,<null>


In [27]:
// Get the specific column
var threatActorColumn = df.Columns["Origin/Threat actor category"] as StringDataFrameColumn;

// Create a boolean filter for non-null values
var nonNullFilter = threatActorColumn.ElementwiseIsNotNull();

// Apply the filter to the DataFrame
var filteredDf = df.Filter(nonNullFilter);

// Display result
filteredDf

index,ThreatActor,UniqueOrgCount,Origin/Threat actor category,Other names
0,Sangria Tempest,2,"Ukraine, Financially motivated",ELBRUS
1,Hazel Sandstorm,2,Iran,"EUROPIUM, COLBALT GYPSY, Crambus, OilRig, APT34"
2,Lace Tempest,2,Financially motivated,DEV-0950
3,Midnight Blizzard,2,Russia,"NOBELIUM, UNC2452, APT29, Cozy Bear"
4,Periwinkle Tempest,1,Russia,DEV-0193


In [28]:
filteredDf.Rows[0].ToString()

Sangria Tempest 2 Ukraine, Financially motivated ELBRUS 

In [29]:
// Convert the DataFrame to a string representation
string dfAsString = filteredDf.Rows[0].ToString();

// Define a description for the image generation
string role_description = 
    "Which threat actor impacted the most orgs? I gatherrf data about the threat actor and then generate an image that represents them. " +
    "Remember that the image generator has no context about the actors. For example, if the cyber threat actor " +
    "is Onyx Sleet, use descriptions like a villain in a field of crystalized black precipitation. Make sure " +
    "the prompt doesn't violate any AI safety guidelines.";

string fullResponse = "";
var chatUpdates = chatClient.CompleteChatStreamingAsync(
    [
        //This the system prompt
        new SystemChatMessage(role_description),
    ]);

var response = await chatClient.CompleteChatAsync(
    [   // This is the user prompt
        new UserChatMessage(dfAsString)
    ]);
foreach (var message in response.Value.Content)
{
    fullResponse += message.Text;
}

In [30]:
fullResponse

"Sangria Tempest 2" and "ELBRUS" do not appear to be widely recognized terms or events as of my last update in October 2023. It is possible that these could refer to new developments, operations, or code names for specific initiatives or cyber activities.

If these are related to cybersecurity or geopolitical events involving Ukraine, financial motivations, or other areas, I would recommend checking recent news articles, reports from cybersecurity firms, or official statements from relevant government or financial institutions for the most current and detailed information. Cybersecurity landscapes can change rapidly with events and updates emerging frequently, so staying informed through credible and timely sources is essential.

In [31]:
// Generate the image using the OpenAI client
var imageResponse = openAIClient.GetImageClient("dall-e-3").GenerateImage(fullResponse);
Console.WriteLine($"Image URL: {imageResponse.Value.ImageUri}");

Image URL: https://dalleprodaue.blob.core.windows.net/private/images/15eca565-1e4a-4602-b6c6-f1b8f00cd23f/generated_00.png?se=2025-05-07T11%3A09%3A46Z&sig=4Gul8XKeyO6amtZJIN9nLPnOSCS8XLNW5Iv3QBdhsZI%3D&ske=2025-05-13T08%3A15%3A20Z&skoid=f4f58869-78fa-4857-8a87-4ce5ae4ba8c3&sks=b&skt=2025-05-06T08%3A15%3A20Z&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skv=2020-10-02&sp=r&spr=https&sr=b&sv=2020-10-02
