maj cumulative

backend/routes/variability.py

@@ -44,17 +44,22 @@ async def get_associated_ips(
         column = type_column_map[attr_type]
 
         query = f"""
-        SELECT DISTINCT src_ip
+        SELECT src_ip, count() AS hit_count
         FROM ml_detected_anomalies
         WHERE {column} = %(value)s
           AND detected_at >= now() - INTERVAL 24 HOUR
-        ORDER BY src_ip
+        GROUP BY src_ip
+        ORDER BY hit_count DESC
         LIMIT %(limit)s
         """
 
         result = db.query(query, {"value": value, "limit": limit})
 
-        ips = [str(row[0]) for row in result.result_rows]
+        total_hits = sum(row[1] for row in result.result_rows) or 1
+        ips = [
+            {"ip": str(row[0]), "count": row[1], "percentage": round(row[1] * 100.0 / total_hits, 2)}
+            for row in result.result_rows
+        ]
 
         # Compter le total
         count_query = f"""
@@ -491,42 +496,77 @@ async def get_variability(attr_type: str, value: str):
         first_seen = stats_row[2]
         last_seen = stats_row[3]
         
-        # User-Agents via view_dashboard_user_agents (source principale pour les UAs)
-        # Colonnes disponibles: src_ip, ja4, hour, log_date, user_agents, requests
+        # User-Agents depuis http_logs pour des comptes exacts par requête
+        # (view_dashboard_user_agents déduplique par heure, ce qui sous-compte les hits)
+        _ua_params: dict = {"value": value}
         if attr_type == "ip":
-            _ua_where = "toString(src_ip) = %(value)s"
-            _ua_params: dict = {"value": value}
+            _ua_logs_where = "src_ip = toIPv4(%(value)s)"
+            ua_query_simple = f"""
+            SELECT
+                header_user_agent AS user_agent,
+                count() AS count,
+                round(count() * 100.0 / (
+                    SELECT count() FROM mabase_prod.http_logs
+                    WHERE {_ua_logs_where} AND time >= now() - INTERVAL 24 HOUR
+                ), 2) AS percentage,
+                min(time) AS first_seen,
+                max(time) AS last_seen
+            FROM mabase_prod.http_logs
+            WHERE {_ua_logs_where}
+              AND time >= now() - INTERVAL 24 HOUR
+              AND header_user_agent != '' AND header_user_agent IS NOT NULL
+            GROUP BY user_agent
+            ORDER BY count DESC
+            """
+            ua_result = db.query(ua_query_simple, _ua_params)
+            user_agents = [get_attribute_value(row, 1, 2, 3, 4) for row in ua_result.result_rows]
         elif attr_type == "ja4":
-            _ua_where = "ja4 = %(value)s"
-            _ua_params = {"value": value}
+            _ua_logs_where = "ja4 = %(value)s"
+            ua_query_simple = f"""
+            SELECT
+                header_user_agent AS user_agent,
+                count() AS count,
+                round(count() * 100.0 / (
+                    SELECT count() FROM mabase_prod.http_logs
+                    WHERE {_ua_logs_where} AND time >= now() - INTERVAL 24 HOUR
+                ), 2) AS percentage,
+                min(time) AS first_seen,
+                max(time) AS last_seen
+            FROM mabase_prod.http_logs
+            WHERE {_ua_logs_where}
+              AND time >= now() - INTERVAL 24 HOUR
+              AND header_user_agent != '' AND header_user_agent IS NOT NULL
+            GROUP BY user_agent
+            ORDER BY count DESC
+            LIMIT 20
+            """
+            ua_result = db.query(ua_query_simple, _ua_params)
+            user_agents = [get_attribute_value(row, 1, 2, 3, 4) for row in ua_result.result_rows]
         else:
-            # country / asn / host: pivot via ml_detected_anomalies → IPs
+            # country / asn / host: pivot via ml_detected_anomalies → IPs, puis view UA
             _ua_where = f"""toString(src_ip) IN (
                 SELECT DISTINCT replaceRegexpAll(toString(src_ip), '^::ffff:', '')
                 FROM ml_detected_anomalies
                 WHERE {column} = %(value)s AND detected_at >= now() - INTERVAL 24 HOUR
             )"""
-            _ua_params = {"value": value}
-
-        ua_query_simple = f"""
-        SELECT
-            ua AS user_agent,
-            sum(requests) AS count,
-            round(sum(requests) * 100.0 / sum(sum(requests)) OVER (), 2) AS percentage,
-            min(log_date) AS first_seen,
-            max(log_date) AS last_seen
-        FROM view_dashboard_user_agents
-        ARRAY JOIN user_agents AS ua
-        WHERE {_ua_where}
-          AND hour >= now() - INTERVAL 24 HOUR
-          AND ua != ''
-        GROUP BY user_agent
-        ORDER BY count DESC
-        LIMIT 10
-        """
-
-        ua_result = db.query(ua_query_simple, _ua_params)
-        user_agents = [get_attribute_value(row, 1, 2, 3, 4) for row in ua_result.result_rows]
+            ua_query_simple = f"""
+            SELECT
+                ua AS user_agent,
+                sum(requests) AS count,
+                round(sum(requests) * 100.0 / sum(sum(requests)) OVER (), 2) AS percentage,
+                min(log_date) AS first_seen,
+                max(log_date) AS last_seen
+            FROM view_dashboard_user_agents
+            ARRAY JOIN user_agents AS ua
+            WHERE {_ua_where}
+              AND hour >= now() - INTERVAL 24 HOUR
+              AND ua != ''
+            GROUP BY user_agent
+            ORDER BY count DESC
+            LIMIT 20
+            """
+            ua_result = db.query(ua_query_simple, _ua_params)
+            user_agents = [get_attribute_value(row, 1, 2, 3, 4) for row in ua_result.result_rows]
         
         # JA4 fingerprints
         ja4_query = f"""