# 📊 Graph Security Fundamentals - Connected to Your Dashboard

> **Learning Objective:** Understand how security graphs represent attack paths and relationships in cloud environments, directly connecting to the scenarios you explore in the Cloud Threat Graph Lab dashboard.

## 🎯 What You'll Learn
- **Graph Theory Basics:** Nodes, edges, and security relationships
- **Cloud Security Context:** How graphs model real infrastructure
- **Visual Analysis:** Reading and interpreting security graphs
- **Practical Queries:** Basic Cypher for security analysis
- **Dashboard Integration:** How these concepts apply to the 10 attack scenarios

---

## 🔗 Connection to Your Dashboard Experience

**This notebook directly supports your dashboard learning:**
- The same Neo4j database powers both this notebook and your dashboard
- Query techniques you learn here apply to all 10 attack scenarios
- Visual concepts transfer to both Graph and Table views in the dashboard
- Understanding gained here makes dashboard scenario analysis much clearer

## 🔍 Why Security Graphs Matter

### Traditional Security vs Graph Security

**Traditional Approach:**
- Lists of assets, users, permissions
- Difficult to see relationships
- Attack paths hidden in complexity
- Like looking at a phonebook instead of a map

**Graph Security Approach:**
- Visual representation of connections (like your dashboard's Graph view)
- Clear attack path visualization
- Relationship-based analysis
- Same data model as your dashboard scenarios

### Real-World Example from Your Dashboard
When you select "AWS Privilege Escalation" in the dashboard, you're exploring the same type of graph paths this notebook teaches - just with more specific security focus!

In [None]:
# Install required packages for educational visualization
import sys
!{sys.executable} -m pip install neo4j matplotlib networkx plotly pandas numpy

# Import educational visualization libraries
import matplotlib.pyplot as plt
import networkx as nx
import plotly.graph_objects as go
import plotly.express as px
from neo4j import GraphDatabase
import pandas as pd
import numpy as np

print("✅ Educational libraries loaded successfully!")
print("📚 Ready for interactive security graph learning")

## 🏗️ Setting Up Your Learning Environment

Let's connect to the Cloud Threat Graph Lab and explore the security data:

In [None]:
# Educational Neo4j Connection Setup
class SecurityGraphEducation:
    def __init__(self, uri="bolt://neo4j:7687", user="neo4j", password="cloudsecurity"):
        """
        EDUCATIONAL NOTE:
        This connects to our Cloud Threat Graph Lab database.
        In real environments, you'd use proper authentication.
        
        Why Neo4j for Security?
        - Graph database optimized for relationships
        - Cypher query language for path analysis
        - Visual graph browser for exploration
        """
        try:
            self.driver = GraphDatabase.driver(uri, auth=(user, password))
            print("✅ Connected to Cloud Threat Graph Lab!")
            print("🎓 Educational environment ready for learning")
        except Exception as e:
            print(f"❌ Connection failed: {e}")
            print("💡 Make sure docker-compose is running: docker-compose up -d")
    
    def run_educational_query(self, query, explanation=""):
        """
        Run a query with educational context and explanations
        """
        if explanation:
            print(f"🎯 Educational Context: {explanation}")
            print("")
        
        with self.driver.session() as session:
            result = session.run(query)
            return [record for record in result]

# Initialize educational connection
graph_edu = SecurityGraphEducation()


## 📊 Your First Security Graph Analysis

Let's start with the most basic question: **"What's in our security graph?"**

In [None]:
# EDUCATIONAL QUERY 1: Discover What's in Our Security Graph
basic_inventory_query = """
MATCH (n) 
RETURN labels(n)[0] as NodeType, count(n) as Count 
ORDER BY Count DESC
"""

explanation = """
This is your first security graph query!

What it does:
- MATCH (n) = Find all nodes in the graph
- labels(n)[0] = Get the primary type of each node
- count(n) = Count how many of each type

Why this matters for security:
- Inventory is the foundation of security
- You can't protect what you don't know exists
- Graphs show relationships between assets
"""

results = graph_edu.run_educational_query(basic_inventory_query, explanation)

# Convert to educational DataFrame for analysis
df_inventory = pd.DataFrame([dict(record) for record in results])
print("\n📋 Security Asset Inventory:")
print(df_inventory.to_string(index=False))

# Educational Visualization
fig = px.bar(df_inventory, x='NodeType', y='Count', 
             title='Cloud Threat Graph Lab - Asset Distribution',
             color='Count',
             color_continuous_scale='Reds')
fig.update_layout(xaxis_tickangle=-45)
fig.show()

print("\n🎓 Learning Insight:")
print(f"Our lab has {df_inventory['Count'].sum()} total security assets with {len(df_inventory)} different types.")
print("Each type represents a different kind of security component in cloud infrastructure.")

## 🎯 Understanding Attack Path Fundamentals

Now let's learn the core concept: **Attack Paths**

### What is an Attack Path?
An attack path is a sequence of connected resources that an attacker can use to reach a target. Think of it like a route on a map, but for cybersecurity.

# EDUCATIONAL QUERY 2: Finding Your First Attack Path (Same as Dashboard!)
simple_attack_path_query = """
MATCH path = (user:User)-[*1..3]->(service:Service)
WHERE user.access_level = 'developer' 
  AND service.contains_pii = true
RETURN 
    user.name as StartUser,
    service.name as TargetService,
    length(path) as PathLength,
    [node in nodes(path) | node.name] as AttackPath
ORDER BY PathLength
LIMIT 3
"""

explanation = """
🎮 DASHBOARD CONNECTION: This is the SAME TYPE of query that powers 
the "AWS Privilege Escalation" scenario in your dashboard!

Breaking down the query:
- (user:User) = Start with user accounts
- [*1..3] = Follow 1 to 3 relationships (hops)
- (service:Service) = End at services/resources
- WHERE conditions = Filter for specific scenarios

Security implications:
- Shows how developers might access sensitive data
- Shorter paths = easier attacks (same as dashboard shows!)
- Each hop represents a security boundary

🔗 Try this: After running this query, go to your dashboard and 
select "AWS Privilege Escalation" - you'll see similar results!
"""

attack_paths = graph_edu.run_educational_query(simple_attack_path_query, explanation)

print("\n🎯 Attack Path Analysis (Same Data as Dashboard):")
for i, path in enumerate(attack_paths, 1):
    print(f"\n📍 Attack Path #{i}:")
    print(f"   From: {path['StartUser']} (Developer)")
    print(f"   To: {path['TargetService']} (Contains PII)")
    print(f"   Steps: {path['PathLength']} hops")
    print(f"   Route: {' → '.join(path['AttackPath'])}")

# Educational insights
if attack_paths:
    avg_length = sum(p['PathLength'] for p in attack_paths) / len(attack_paths)
    print(f"\n🎓 Security Insight:")
    print(f"Average attack path length: {avg_length:.1f} steps")
    print(f"Shortest path: {min(p['PathLength'] for p in attack_paths)} steps")
    print("\n💡 Remember: Shorter paths = Higher security risk!")
    
    print(f"\n🎮 Dashboard Comparison:")
    print(f"This query returns {len(attack_paths)} attack paths.")
    print(f"The dashboard 'AWS Privilege Escalation' scenario shows the same data!")
    print(f"Go compare: http://localhost:3000 → AWS Privilege Escalation → Table Analysis")

In [None]:
# EDUCATIONAL QUERY 2: Finding Your First Attack Path
simple_attack_path_query = """
MATCH path = (user:User)-[*1..3]->(service:Service)
WHERE user.access_level = 'developer' 
  AND service.contains_pii = true
RETURN 
    user.name as StartUser,
    service.name as TargetService,
    length(path) as PathLength,
    [node in nodes(path) | node.name] as AttackPath
ORDER BY PathLength
LIMIT 3
"""

explanation = """
This query finds attack paths from developers to sensitive data!

Breaking down the query:
- (user:User) = Start with user accounts
- [*1..3] = Follow 1 to 3 relationships (hops)
- (service:Service) = End at services/resources
- WHERE conditions = Filter for specific scenarios

Security implications:
- Shows how developers might access sensitive data
- Shorter paths = easier attacks
- Each hop represents a security boundary
"""

attack_paths = graph_edu.run_educational_query(simple_attack_path_query, explanation)

print("\n🎯 Attack Path Analysis:")
for i, path in enumerate(attack_paths, 1):
    print(f"\n📍 Attack Path #{i}:")
    print(f"   From: {path['StartUser']} (Developer)")
    print(f"   To: {path['TargetService']} (Contains PII)")
    print(f"   Steps: {path['PathLength']} hops")
    print(f"   Route: {' → '.join(path['AttackPath'])}")

# Educational insights
if attack_paths:
    avg_length = sum(p['PathLength'] for p in attack_paths) / len(attack_paths)
    print(f"\n🎓 Security Insight:")
    print(f"Average attack path length: {avg_length:.1f} steps")
    print(f"Shortest path: {min(p['PathLength'] for p in attack_paths)} steps")
    print("\n💡 Remember: Shorter paths = Higher security risk!")

## 🔍 Visual Graph Analysis - Your First Security Graph

Let's create your first visual security graph to see how attacks flow through infrastructure:

In [None]:
# EDUCATIONAL VISUALIZATION: Simple Security Graph
def create_educational_security_graph():
    """
    Create a visual representation of security relationships
    This helps students understand graph structure visually
    """
    
    # Query for basic security relationships
    graph_query = """
    MATCH (user:User)-[r]->(target)
    WHERE user.access_level = 'developer'
    RETURN 
        user.name as source,
        target.name as target,
        type(r) as relationship,
        labels(target)[0] as target_type
    LIMIT 15
    """
    
    relationships = graph_edu.run_educational_query(graph_query, 
        "Creating a visual representation of developer access paths")
    
    # Create NetworkX graph for visualization
    G = nx.DiGraph()
    
    # Add nodes and edges
    for rel in relationships:
        G.add_edge(rel['source'], rel['target'], 
                  relationship=rel['relationship'])
    
    # Educational color coding
    node_colors = []
    for node in G.nodes():
        # Color coding for educational purposes
        if 'user' in node.lower() or 'chen' in node.lower():
            node_colors.append('lightblue')  # Users
        elif 'role' in node.lower():
            node_colors.append('orange')     # Roles/Permissions
        elif 'bucket' in node.lower() or 'data' in node.lower():
            node_colors.append('red')        # Sensitive Resources
        else:
            node_colors.append('lightgreen') # Other Resources
    
    # Create educational visualization
    plt.figure(figsize=(12, 8))
    pos = nx.spring_layout(G, k=2, iterations=50)
    
    # Draw the graph with educational styling
    nx.draw(G, pos, 
            node_color=node_colors,
            node_size=1500,
            font_size=8,
            font_weight='bold',
            arrows=True,
            arrowsize=20,
            edge_color='gray',
            with_labels=True)
    
    plt.title("Security Graph Visualization - Developer Access Paths", 
              fontsize=16, fontweight='bold')
    
    # Add educational legend
    legend_elements = [
        plt.Line2D([0], [0], marker='o', color='w', markerfacecolor='lightblue', 
                   markersize=15, label='Users'),
        plt.Line2D([0], [0], marker='o', color='w', markerfacecolor='orange', 
                   markersize=15, label='Roles/Permissions'),
        plt.Line2D([0], [0], marker='o', color='w', markerfacecolor='red', 
                   markersize=15, label='Sensitive Data'),
        plt.Line2D([0], [0], marker='o', color='w', markerfacecolor='lightgreen', 
                   markersize=15, label='Other Resources')
    ]
    plt.legend(handles=legend_elements, loc='upper right')
    
    plt.tight_layout()
    plt.show()
    
    return len(relationships)

# Create the educational visualization
relationship_count = create_educational_security_graph()

print(f"\n🎓 Graph Analysis Complete!")
print(f"📊 Visualized {relationship_count} security relationships")
print("\n💡 Key Learning Points:")
print("• Arrows show the direction of access/relationships")
print("• Colors help identify different types of security components")
print("• Connections represent potential attack paths")
print("• Sensitive data (red nodes) should have minimal connections")

## 🎯 Interactive Learning Exercise

Now it's your turn! Complete this hands-on exercise to practice your new skills:

In [None]:
# HANDS-ON EXERCISE: Build Your Own Security Query

print("🎓 LEARNING EXERCISE: Find Administrative Access Paths")
print("="*50)
print()
print("Your Challenge:")
print("Write a Cypher query to find users who can access administrative roles.")
print()
print("Hints:")
print("• Look for users with access_level = 'administrator'")
print("• Find what roles they can assume")
print("• Count the total number of admin access paths")
print()
print("Query Template:")
print("MATCH (user:User)-[relationship]->(role:Role)")
print("WHERE user.access_level = ?")
print("RETURN ...")
print()

# Student workspace - fill in your query here!
your_query = """
# Write your query here!
# Remember: Start with MATCH, add WHERE conditions, finish with RETURN

MATCH (user:User)-[r]->(role:Role)
WHERE user.access_level = 'administrator'
RETURN 
    user.name as AdminUser,
    role.name as AdminRole,
    type(r) as AccessMethod
"""

# Test your query
try:
    results = graph_edu.run_educational_query(your_query.strip(), 
        "Testing your administrative access query")
    
    if results:
        print("\n✅ Great job! Your query worked!")
        print("\n📋 Administrative Access Results:")
        for result in results:
            print(f"• {result['AdminUser']} can {result['AccessMethod']} {result['AdminRole']}")
        
        print(f"\n🎯 You found {len(results)} administrative access paths!")
    else:
        print("\n🤔 No results found. Try adjusting your query!")
        
except Exception as e:
    print(f"\n❌ Query error: {e}")
    print("💡 Check your syntax and try again!")

## 📚 Knowledge Check - Test Your Understanding

Answer these questions to check your understanding:

In [None]:
## 🎯 Next Steps in Your Security Graph Journey

Congratulations! You've completed the Graph Security Fundamentals module.

### What You've Learned:
✅ **Graph Basics:** Nodes, relationships, and security context  
✅ **Attack Paths:** How to identify and analyze security vulnerabilities  
✅ **Cypher Queries:** Basic database queries for security analysis  
✅ **Visual Analysis:** Reading and interpreting security graphs  
✅ **Dashboard Integration:** How notebooks connect to real scenarios

### 🎮 Apply Your Learning to All Dashboard Scenarios

Now that you understand graph fundamentals, explore these dashboard scenarios with new insight:

**High Priority (Start Here):**
- **AWS Privilege Escalation** - Practice the concepts you just learned
- **Cross-Cloud Attack Chain** - See how paths span multiple cloud providers
- **Supply Chain Compromise** - Trace complex multi-step attacks

**Advanced Scenarios (When Ready):**
- **Kubernetes RBAC Escalation** - Container security relationships
- **Serverless Attack Chain** - Modern cloud architecture attacks
- **Multi-Cloud Identity Federation** - Cross-platform security

### 🔗 How Dashboard Concepts Map to This Learning:

| Dashboard Feature | What You Learned |
|-------------------|------------------|
| **Table Analysis** | Same as your Cypher queries |
| **Graph Visualization** | Same as your NetworkX graphs |
| **Attack Paths** | Same as your path queries |
| **MITRE Techniques** | Classification of attack methods |
| **Risk Levels** | Prioritization based on path analysis |

### Next Learning Modules:
1. **02-Attack-Path-Discovery.ipynb** - Advanced attack path analysis
2. **05-Anomaly-Detection-ML.ipynb** - Machine learning for security
3. **Dashboard Scenarios** - Apply learning to real attack analysis

### 🎯 Recommended Learning Flow:
1. **Complete this notebook** ✅
2. **Practice with dashboard scenarios** (15-30 minutes)
3. **Return for advanced notebooks** when ready
4. **Combine dashboard + notebook learning** for maximum impact

---

### 💡 Key Takeaways for Dashboard Use:
- **Security is about relationships** - every dashboard scenario shows this
- **Shorter attack paths = higher risk** - notice this in scenario results
- **Same data, different views** - notebooks and dashboard complement each other
- **Practice makes perfect** - alternate between learning and applying

**Ready for real-world application?** Return to your dashboard and explore the scenarios with your new graph knowledge!

## 🎯 Next Steps in Your Security Graph Journey

Congratulations! You've completed the Graph Security Fundamentals module.

### What You've Learned:
✅ **Graph Basics:** Nodes, relationships, and security context  
✅ **Attack Paths:** How to identify and analyze security vulnerabilities  
✅ **Cypher Queries:** Basic database queries for security analysis  
✅ **Visual Analysis:** Reading and interpreting security graphs  

### Next Learning Modules:
1. **02-Attack-Path-Discovery.ipynb** - Advanced attack path analysis
2. **03-MITRE-Analysis.ipynb** - Industry framework integration
3. **04-Asset-Discovery-Analysis.ipynb** - Cartography and asset discovery

### Additional Resources:
- **Neo4j Browser:** http://localhost:7474 (practice queries)
- **Dashboard:** http://localhost:3000 (interactive scenarios)
- **Documentation:** Review the learning platform guides

---

### 💡 Key Takeaways:
- **Security is about relationships** - graphs reveal hidden connections
- **Shorter attack paths = higher risk** - prioritize defense accordingly
- **Visualization helps understanding** - use graphs to communicate security
- **Practice makes perfect** - keep querying and exploring!

Ready for the next challenge? Open **02-Attack-Path-Discovery.ipynb** to continue your journey!

In [None]:
# Clean up connection
if 'graph_edu' in locals():
    graph_edu.driver.close()
    print("✅ Learning session complete!")
    print("🎓 Great job on completing Graph Security Fundamentals!")