# Getting Started

Welcome to the Threat Hunting Lab.

This notebook verifies that:

* Your environment is working correctly
* The dataset is accessible
* Python and pandas are properly configured

Before we begin hunting, we need to confirm:

1. You are in the correct working directory
2. The `/data/` folder is accessible
3. The lab dataset can be successfully loaded

To run the code in a Jupyter cell, press `CTRL+ENTER`. Let's practice. 

Click into the cell below this text, then ress `CTRL+ENTER` on your keyboard to execute the cell below this text. 

---


In [None]:
print("""
ðŸŽ‰ YOU DID IT! ðŸŽ‰ 
""")

## What This Notebook Does

The code below will:

* Print your current working directory
* Show the files available in your current folder
* Show the files inside the `/data/` directory
* Load the lab dataset into a pandas DataFrame
* Display the first few rows of the dataset

If everything runs without errors, your lab environment is ready.

---

## Why This Matters

Threat hunting requires:

* Reliable data access
* Clean parsing of structured logs
* Confidence in your analysis environment

Before forming hypotheses or stacking events, we validate the basics.

If the dataset loads successfully, proceed to the next lab.

If you encounter errors:

* Verify the `/data/` directory exists
* Confirm the filename is correct
* Re-run the cell

Letâ€™s confirm your environment is operational.

Happy hunting!

### Install pandas in GitHub Codespace

In [None]:
pip install pandas # install pandas for GitHub Codespace

### Check Environment & Lab Setup

In [41]:
import os
import pandas as pd


current_directory = os.getcwd()
print("Current directory:", current_directory)
print("====================================================================================================")
print("Current directory listing:", os.listdir('.'))           # list the contents of the current folder
print("====================================================================================================")
print("Listing of the /data/ folder:", os.listdir('../data/'))        # list the content sof the "data" folder


df1 = pd.read_csv('../data/lab_github.csv',  dtype=str, low_memory=False)
df2 = pd.read_csv('../data/lab_phishing.csv', dtype=str, low_memory=False)
df3 = pd.read_csv('../data/lab_dprk.csv',     dtype=str, low_memory=False)

# â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
# Now show all three nicely
# â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€

print("=== lab_github.csv ===")
display(df1.head())

print("\n=== lab_phishing.csv ===")
display(df2.head())

print("\n=== lab_dprk.csv ===")
display(df3.head())

Current directory: /Users/user/Documents/GitHub/threat-hunting-lab-zia/notebooks
Current directory listing: ['getting_started.ipynb', '.ipynb_checkpoints']
Listing of the /data/ folder: ['lab_phishing.csv', 'README.md', 'lab_github.csv', 'lab_dprk.csv']
=== lab_github.csv ===


Unnamed: 0,No.,Logged Time,Event Time,User,SSL Inspected,URL,Policy Action,Cloud Application Class,Cloud Application,Application Status,...,JA4 Fingerprint C,Client-Side Key Exchange Algorithm,Server-Side Key Exchange Algorithm,Client-Side Digital Signature Algorithm,Server-Side Digital Signature Algorithm,Client Key Exchange Proposal,Client Digital Signature Proposal,Download User-Defined File Type,Upload User-Defined File Type,Extranet Resource
0,1,"January 29, 2026 3:59:05 PM PST","January 29, 2026 3:59:05 PM PST",mwylie@deepen.zscaler.net,No,www.msftconnecttest.com/connecttest.txt,Allowed,General Browsing,,,...,,,,,,,,,,
1,2,"January 29, 2026 3:59:05 PM PST","January 29, 2026 3:59:05 PM PST",mwylie@deepen.zscaler.net,Yes,array810.prod.do.dsp.mp.microsoft.com/join/?eid=8,Allowed,General Browsing,,,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical""]","[""Classical""]",,,
2,3,"January 29, 2026 3:59:06 PM PST","January 29, 2026 3:59:06 PM PST",mwylie@deepen.zscaler.net,No,www.msftconnecttest.com/connecttest.txt,Allowed,General Browsing,,,...,,,,,,,,,,
3,4,"January 29, 2026 3:59:06 PM PST","January 29, 2026 3:59:06 PM PST",mwylie@deepen.zscaler.net,Yes,login.live.com/rst2.srf,Allowed,IT Services,Microsoft Login Services,Unsanctioned,...,,secp256r1,secp384r1,rsa_pss_rsae_sha256,rsa_pss_rsae_sha256,"[""Classical""]","[""Classical""]",,,
4,5,"January 29, 2026 3:59:06 PM PST","January 29, 2026 3:59:06 PM PST",mwylie@deepen.zscaler.net,Yes,login.live.com/rst2.srf,Allowed,IT Services,Microsoft Login Services,Unsanctioned,...,,secp256r1,secp384r1,rsa_pss_rsae_sha256,rsa_pss_rsae_sha256,"[""Classical""]","[""Classical""]",,,



=== lab_phishing.csv ===


Unnamed: 0,No.,Logged Time,Event Time,User,SSL Inspected,URL,Policy Action,Cloud Application Class,Cloud Application,Application Status,...,JA4 Fingerprint C,Client-Side Key Exchange Algorithm,Server-Side Key Exchange Algorithm,Client-Side Digital Signature Algorithm,Server-Side Digital Signature Algorithm,Client Key Exchange Proposal,Client Digital Signature Proposal,Download User-Defined File Type,Upload User-Defined File Type,Extranet Resource
0,1,"January 30, 2026 12:30:00 PM PST","January 30, 2026 12:30:00 PM PST",karen@acme.zscaler.net,Yes,www.youtube.com/api/stats/qoe?fmt=398&afmt=251...,Allowed,Streaming Media,YouTube,Unsanctioned,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical,Hybrid""]","[""Classical""]",,,
1,2,"January 30, 2026 12:30:30 PM PST","January 30, 2026 12:30:30 PM PST",karen@acme.zscaler.net,Yes,www.youtube.com/api/stats/qoe?fmt=398&afmt=251...,Allowed,Streaming Media,YouTube,Unsanctioned,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical,Hybrid""]","[""Classical""]",,,
2,3,"January 30, 2026 12:30:30 PM PST","January 30, 2026 12:30:30 PM PST",karen@acme.zscaler.net,Yes,mozilla.cloudflare-dns.com/dns-query,Allowed,DNS Over HTTPS Services,Cloudflare DNS,Unsanctioned,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical,Hybrid""]","[""Classical""]",,,
3,4,"January 30, 2026 12:30:30 PM PST","January 30, 2026 12:30:30 PM PST",karen@acme.zscaler.net,Yes,mozilla.cloudflare-dns.com/dns-query,Allowed,DNS Over HTTPS Services,Cloudflare DNS,Unsanctioned,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical,Hybrid""]","[""Classical""]",,,
4,5,"January 30, 2026 12:31:01 PM PST","January 30, 2026 12:31:01 PM PST",karen@acme.zscaler.net,Yes,mozilla.cloudflare-dns.com/dns-query,Allowed,DNS Over HTTPS Services,Cloudflare DNS,Unsanctioned,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,ecdsa_secp256r1_sha256,"[""Classical,Hybrid""]","[""Classical""]",,,



=== lab_dprk.csv ===


Unnamed: 0,No.,Logged Time,Event Time,User,SSL Inspected,URL,Policy Action,Cloud Application Class,Cloud Application,Application Status,...,JA4 Fingerprint C,Client-Side Key Exchange Algorithm,Server-Side Key Exchange Algorithm,Client-Side Digital Signature Algorithm,Server-Side Digital Signature Algorithm,Client Key Exchange Proposal,Client Digital Signature Proposal,Download User-Defined File Type,Upload User-Defined File Type,Extranet Resource
0,1,"January 27, 2026 2:30:23 PM PST","January 27, 2026 2:30:23 PM PST",karen@acme.zscaler.net,No,ssl.gstatic.com,Dropped due to failed client SSL handshake,General Browsing,,,...,,,,,,"[""Classical""]","[""Classical""]",,,
1,2,"January 27, 2026 2:30:23 PM PST","January 27, 2026 2:30:23 PM PST",karen@acme.zscaler.net,Yes,self.events.data.microsoft.com/onecollector/1.0/,Allowed,General Browsing,,,...,,secp256r1,secp256r1,rsa_pss_rsae_sha256,rsa_pss_rsae_sha256,"[""Classical""]","[""Classical""]",,,
2,3,"January 27, 2026 2:30:23 PM PST","January 27, 2026 2:30:23 PM PST",karen@acme.zscaler.net,No,ssl.gstatic.com,Dropped due to failed client SSL handshake,General Browsing,,,...,,,,,,"[""Classical""]","[""Classical""]",,,
3,4,"January 27, 2026 2:30:23 PM PST","January 27, 2026 2:30:23 PM PST",karen@acme.zscaler.net,No,detectportal.firefox.com/canonical.html,Allowed,General Browsing,,,...,,,,,,,,,,
4,5,"January 27, 2026 2:30:23 PM PST","January 27, 2026 2:30:23 PM PST",karen@acme.zscaler.net,No,detectportal.firefox.com/success.txt?ipv4,Allowed,General Browsing,,,...,,,,,,,,,,
