In [None]:
 %load_ext autoreload
%autoreload 2

In [None]:
import sys
sys.path.insert(0, '/root/sagemaker_ml_insights_repo/notebooks/')

In [None]:
import pyathena
from pyathena.pandas.cursor import PandasCursor
import pandas as pd
import matplotlib.pyplot as plt
import matplotlib.dates as mdates
from fastprogress import progress_bar
from tqdm.notebook import tqdm

In [None]:
import mlsec.utils as mlsecutils
from mlsec.tsat import *

In [None]:
mlsecutils.set_pandas_colwidth(500)

In [None]:
con = pyathena.connect(region_name='us-east-1',
                       work_group='security_lake_insights',
                      cursor_class=PandasCursor).cursor()

In [None]:
TABLE = 'amazon_security_lake_glue_db_us_east_1.amazon_security_lake_table_us_east_1_sh_findings_1_0'

## Query Security Hub Findings data in Security Lake using Athena Connection

In [None]:
## Pull data and aggregate by Product|Finding and date
## CONVENTION: ALWAYS HAVE "timestamp" and "value" (frequency) fields in the select statement

sql = f"""
select productname || ' | ' || types[1] as finding_type
    ,timestamp
    ,count(*) as value
from
(
select metadata.product.feature.name as ProductName,
finding.types as types,
cast(from_unixtime(time/1000) as timestamp) as timestamp
FROM {TABLE}
WHERE eventDay > '20220101'
) tmp
group by 1, 2
"""

keys = ['finding_type']

In [None]:
results = con.execute(sql).as_pandas()

In [None]:
 results.shape

In [None]:
results.head(5)

## Split results data into timeseries dataset

In [None]:
 def df_to_ts(df):
    ts = pd.Series(df['value'])
    ts.index = pd.to_datetime(df['timestamp'])
    ts = ts.resample('D').sum().fillna(0)
    return ts

In [None]:
 def split_sql_results_into_timeseries(sql_results, keys):
    timeseries = []
    for _, df in sql_results.groupby(keys, as_index=False):
        ts = df_to_ts(df)
        keyvals = {}
        for key in keys:
            keyvals[key] = df.iloc[0][key]
        timeseries.append((keyvals, ts))
#     timeseries = [({split_key: df.iloc[0][split_key]}, df_to_ts(df)) for _, df in results.groupby(keys, as_index=False)]
    return timeseries

In [None]:
 timeseries = split_sql_results_into_timeseries(results, keys)

In [None]:
 len(timeseries)

In [None]:
timeseries = [(key, ts) for key, ts in timeseries if len(ts) > 5]

In [None]:
len(timeseries)

In [None]:
 milo_tss = [MiloTimeseries(ts=ts, source_sql=sql, keyvals=keyvals) for keyvals,ts in timeseries]

In [None]:
 milo_tss[0].keyvals

In [None]:
 %store milo_tss

In [None]:
print("source_sql\n", milo_tss[0].source_sql)
print("_wheres\n", milo_tss[0]._wheres)
print("_selects\n", milo_tss[0]._selects)

In [None]:
for milo_ts in milo_tss:
    milo_ts.plot()
    plt.show()