fix(views): align SQL views with dashboard API expected columns

- view_form_bruteforce_detected: add post_count, distinct_paths, first_seen, last_seen - view_host_ip_ja4_rotation: add host, distinct_ja4, ja4_list, window_start - view_ip_recurrence: add worst_threat alias + top_ja4, top_host columns All three views were missing columns referenced by /api/brute-force, /api/ja4-rotation and /api/recurrence endpoints, causing 500 errors on the Tactiques page. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-10 00:59:57 +02:00
parent 2f2c5e03bb
commit b409a70970
2 changed files with 45 additions and 28 deletions
--- a/shared/clickhouse/06_ml_tables.sql
+++ b/shared/clickhouse/06_ml_tables.sql
@ -133,13 +133,14 @@ SETTINGS
 CREATE OR REPLACE VIEW ja4_processing.view_ip_recurrence AS
 SELECT
    src_ip,
-    count()                             AS recurrence,
-    min(detected_at)                    AS first_seen,
-    max(detected_at)                    AS last_seen,
-    max(anomaly_score)                  AS worst_score,
-    argMax(threat_level, anomaly_score) AS worst_threat_level
+    count()                              AS recurrence,
+    min(detected_at)                     AS first_seen,
+    max(detected_at)                     AS last_seen,
+    max(anomaly_score)                   AS worst_score,
+    argMax(threat_level, anomaly_score)  AS worst_threat_level,
+    argMax(threat_level, anomaly_score)  AS worst_threat,
+    argMax(ja4,          anomaly_score)  AS top_ja4,
+    argMax(host,         hits)           AS top_host
 FROM ja4_processing.ml_detected_anomalies
-- Filtre temporel aligné sur le TTL de la table (30 jours)
-- Évite de scanner les partitions expirées non encore supprimées par le TTL
 WHERE detected_at >= now() - INTERVAL 30 DAY
 GROUP BY src_ip;