maj cumulative

2026-03-18 13:56:39 +01:00
parent 32a96966dd
commit c887846af5
18 changed files with 986 additions and 686 deletions
--- a/backend/routes/ml_features.py
+++ b/backend/routes/ml_features.py
@ -33,8 +33,8 @@ async def get_top_anomalies(limit: int = Query(50, ge=1, le=500)):
            any(a.ja4)                                                                           AS ja4,
            any(a.host)                                                                          AS host,
            sum(a.hits)                                                                          AS hits,
-            round(max(uniqMerge(a.uniq_query_params))
-                  / greatest(max(uniqMerge(a.uniq_paths)), 1), 4)                               AS fuzzing_index,
+            round(uniqMerge(a.uniq_query_params)
+                  / greatest(uniqMerge(a.uniq_paths), 1), 4)                                    AS fuzzing_index,
            round(sum(a.hits)
                  / greatest(dateDiff('second', min(a.first_seen), max(a.last_seen)), 1), 2)    AS hit_velocity,
            round(sum(a.count_head)         / greatest(sum(a.hits), 1), 4)                      AS head_ratio,
@ -378,16 +378,27 @@ async def get_ml_scatter(limit: int = Query(200, ge=1, le=1000)):
    try:
        sql = """
        SELECT
-            replaceRegexpAll(toString(src_ip), '^::ffff:', '')                              AS ip,
-            any(ja4)                                                                         AS ja4,
-            round(max(uniqMerge(uniq_query_params)) / greatest(max(uniqMerge(uniq_paths)), 1), 4) AS fuzzing_index,
-            round(sum(hits) / greatest(dateDiff('second', min(first_seen), max(last_seen)), 1), 2) AS hit_velocity,
-            sum(hits)                                                                        AS hits,
-            round(sum(count_head) / greatest(sum(hits), 1), 4)                             AS head_ratio,
-            max(correlated_raw)                                                              AS correlated
-        FROM mabase_prod.agg_host_ip_ja4_1h
-        WHERE window_start >= now() - INTERVAL 24 HOUR
-        GROUP BY src_ip
+            ip,
+            ja4,
+            round(fuzzing_index, 4)                                                              AS fuzzing_index,
+            round(total_hits / greatest(dateDiff('second', min_first, max_last), 1), 2)         AS hit_velocity,
+            total_hits                                                                            AS hits,
+            round(total_count_head / greatest(total_hits, 1), 4)                                AS head_ratio,
+            correlated
+        FROM (
+            SELECT
+                replaceRegexpAll(toString(src_ip), '^::ffff:', '')                               AS ip,
+                any(ja4)                                                                          AS ja4,
+                uniqMerge(uniq_query_params) / greatest(uniqMerge(uniq_paths), 1)               AS fuzzing_index,
+                sum(hits)                                                                         AS total_hits,
+                min(first_seen)                                                                   AS min_first,
+                max(last_seen)                                                                    AS max_last,
+                sum(count_head)                                                                   AS total_count_head,
+                max(correlated_raw)                                                               AS correlated
+            FROM mabase_prod.agg_host_ip_ja4_1h
+            WHERE window_start >= now() - INTERVAL 24 HOUR
+            GROUP BY src_ip
+        )
        ORDER BY fuzzing_index DESC
        LIMIT %(limit)s
        """