feat: nouvelles techniques de détection et page tactiques SOC

SQL: - Ajout 5 colonnes d'agrégation (count_xff, count_unusual_ct, count_non_std_port, count_login_post, sec_ch_mobile_mismatch) - Exposition de 5 features calculées dans view_ai_features_1h - Migration ALTER TABLE pour déploiements existants Bot-detector: - 7 nouvelles features ML (has_xff, unusual_content_type_ratio, non_standard_port_ratio, login_post_concentration, sec_ch_mobile_mismatch, true_window_size, window_mss_ratio) - Propagation campaign_id vers ml_all_scores (était toujours -1) - Escalade campagne : HIGH→CRITICAL si cluster ≥5 membres Dashboard: - Page Tactiques SOC : brute-force, rotation JA4, récurrence, alertes temps réel — 4 KPIs + 4 panneaux + infobulles doc - Ajout fmtDate() helper global - Navigation sidebar mise à jour Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-09 14:29:18 +02:00
parent 702c0d5edb
commit 039086a0b3
9 changed files with 295 additions and 5 deletions
--- a/shared/clickhouse/07_ai_features_view.sql
+++ b/shared/clickhouse/07_ai_features_view.sql
@ -127,7 +127,13 @@ WITH base_data AS (
        sqrt(a.ttl_variance_val) AS ttl_std,
        IF(a.count_correlated_val > 0, a.count_no_wscale_val / a.count_correlated_val, 0) AS no_window_scale_ratio,
        a.count_no_accept_enc_val / (a.hits + 1) AS missing_accept_enc_ratio,
-        a.count_http_scheme_val / (a.hits + 1)   AS http_scheme_ratio
+        a.count_http_scheme_val / (a.hits + 1)   AS http_scheme_ratio,
+        -- P1 : nouvelles features de détection
+        IF(a.count_xff_val > 0, 1, 0) AS has_xff,
+        a.count_unusual_ct_val / greatest(a.count_post, 1) AS unusual_content_type_ratio,
+        a.count_non_std_port_val / (a.hits + 1) AS non_standard_port_ratio,
+        a.count_login_post_val / greatest(a.count_post, 1) AS login_post_concentration,
+        h.sec_ch_mobile_mismatch AS sec_ch_mobile_mismatch
    FROM (
        SELECT
            window_start, src_ip, ja4, host, src_asn,
@ -162,7 +168,12 @@ WITH base_data AS (
            sum(count_no_wscale)   AS count_no_wscale_val,
            sum(count_correlated)  AS count_correlated_val,
            sum(count_no_accept_enc) AS count_no_accept_enc_val,
-            sum(count_http_scheme)   AS count_http_scheme_val
+            sum(count_http_scheme)   AS count_http_scheme_val,
+            -- P1 : nouvelles features de détection
+            sum(count_xff)           AS count_xff_val,
+            sum(count_unusual_ct)    AS count_unusual_ct_val,
+            sum(count_non_std_port)  AS count_non_std_port_val,
+            sum(count_login_post)    AS count_login_post_val
        FROM ja4_processing.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR
        GROUP BY window_start, src_ip, ja4, host, src_asn
@ -173,6 +184,7 @@ WITH base_data AS (
            max(header_count) AS header_count, max(has_accept_language) AS has_accept_language,
            max(has_cookie) AS has_cookie, max(has_referer) AS has_referer,
            max(modern_browser_score) AS modern_browser_score, max(ua_ch_mismatch) AS ua_ch_mismatch,
+            max(sec_ch_mobile_mismatch) AS sec_ch_mobile_mismatch,
            any(sec_fetch_mode) AS sec_fetch_mode, any(sec_fetch_dest) AS sec_fetch_dest
        FROM ja4_processing.agg_header_fingerprint_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR