Defcon BTV 2020

Data Analysis for Detection Research Through Jupyter Notebooks 101

From a detection research perspective, even after learning how to simulate a threat actor technique and generate some data in your lab environment, you might still struggle to know what to do with it. In some cases, you might need to filter, transform, correlate and visualize your data to come up with the right detection logic. In this workshop, we will walk you through a few basic data analysis techniques using open source and SIEM agnostic tools such as Jupyter Notebooks which are not only used by large organizations, but also can be deployed at home for free.

Pre Requirements

  • Basics of Python

  • A computer with Docker installed (optional).

    • If you are planning on deploying Jupyter in your own system, we will show you how to deploy it via Docker. It is not necessary since we are going to use BinderHub to interact with Jupyter Notebooks throughout the whole workshop.


  • Introduction to Jupyter Notebooks (10 mins)

    • Deployment Options

    • Binder Project

  • Introduction to Apache Spark (5 mins)

    • Spark Engine

    • Spark SQL & DataFrames

  • Data Analysis Process 101 (10 mins)

  • We need data! (Mordor Project) (5 mins)

    • Download Datasets

    • Raw Data -> DataFrame

  • A few data analysis techniques: (1 hour)

    • filter

    • transform

    • correlate

    • visualize

Speaker: Jose Rodriguez

Twitter Handle: @Cyb3rPandaH

Jose is currently part of the ATT&CK team where he is currently revamping the concept of data sources. He is also one of the founders of Open Threat Research (OTR) and author of open source projects such as Infosec Jupyter Book, Open Source Security Event Metadata (OSSEM), Mordor, and Openhunt.

Speaker: Roberto Rodriguez

Roberto Rodriquez is a threat researcher and security engineer at the Microsoft Threat Intelligence Center (MSTIC) R&D team.

He is also the author of several open source projects, such as the Threat Hunter Playbook, Mordor, OSSEM, HELK and others, to aid the community development of techniques and tooling for threat research. He is also the founder of a new community movement to empower others in the InfoSec community named Open Threat Research.

Blog at

Twitter Handle: @Cyb3rWard0g

Have Fun