# Threat Hunting and Incident Response Demo

This notebook demonstrates the Agentic MultiStage Threat Hunting and Incident Response system.

In [None]:
import sys
sys.path.append('..')

import uuid
from datetime import datetime
from src.models.schemas import SecurityEvent, AgentState
from src.graph.workflow import ThreatHuntingWorkflow
from src.config.settings import settings

## 1. Create a Sample Security Event

In [None]:
# Create a sample malware detection event
security_event = SecurityEvent(
    event_id=str(uuid.uuid4()),
    timestamp=datetime.now(),
    source="endpoint_detection",
    event_type="malware_execution",
    raw_data={
        "file_hash": "a1b2c3d4e5f6g7h8i9j0",
        "file_path": "C:\\Users\\admin\\AppData\\Roaming\\suspicious.exe",
        "parent_process": "explorer.exe",
        "command_line": "suspicious.exe --encrypt --target C:\\Users",
    },
    source_ip="192.168.1.100",
    destination_ip="185.220.101.50",
    user="admin",
    process="suspicious.exe",
)

print(f"Event ID: {security_event.event_id}")
print(f"Event Type: {security_event.event_type}")
print(f"Source: {security_event.source}")

## 2. Initialize the Workflow

In [None]:
# Initialize the threat hunting workflow
workflow = ThreatHuntingWorkflow()
print("Workflow initialized successfully!")

## 3. Run the Workflow

In [None]:
# Create initial state
initial_state = AgentState(
    security_event=security_event,
    current_stage="detection"
)

# Run the workflow
print("Running threat hunting workflow...")
final_state = workflow.run(initial_state)
print(f"\nWorkflow completed! Final stage: {final_state.current_stage}")

## 4. View Results

In [None]:
# Display workflow messages
print("\n=== Workflow Messages ===")
for msg in final_state.messages:
    print(f"- {msg}")

In [None]:
# Display detection results
if final_state.detection:
    print("\n=== Detection Results ===")
    print(f"Detection ID: {final_state.detection.detection_id}")
    print(f"Confidence Score: {final_state.detection.confidence_score:.2f}")
    print(f"Threat Indicators: {', '.join(final_state.detection.threat_indicators)}")

In [None]:
# Display analysis results
if final_state.analysis:
    print("\n=== Threat Analysis ===")
    print(f"Severity: {final_state.analysis.severity.value.upper()}")
    print(f"Category: {final_state.analysis.category.value}")
    print(f"Attack Vector: {final_state.analysis.attack_vector}")
    print(f"\nSummary: {final_state.analysis.analysis_summary}")

In [None]:
# Display investigation results
if final_state.investigation:
    print("\n=== Investigation Results ===")
    print(f"Root Cause: {final_state.investigation.root_cause}")
    print(f"\nAttack Chain:")
    for i, step in enumerate(final_state.investigation.attack_chain, 1):
        print(f"  {i}. {step}")

In [None]:
# Display response plan
if final_state.response:
    print("\n=== Incident Response ===")
    print(f"Actions Planned: {', '.join([a.value for a in final_state.response.actions_taken])}")
    print(f"Containment Status: {final_state.response.containment_status}")
    print(f"\nRemediation Steps:")
    for i, step in enumerate(final_state.response.remediation_steps, 1):
        print(f"  {i}. {step}")

In [None]:
# Display final report
if final_state.report:
    print("\n=== Executive Summary ===")
    print(final_state.report.executive_summary)
    print("\n=== Recommendations ===")
    for i, rec in enumerate(final_state.report.recommendations, 1):
        print(f"  {i}. {rec}")