-- =============================================================================
-- 09_audit_table.sql — SOC audit log table for dashboard activity tracking
-- Referenced as ja4_processing.audit_logs in dashboard/backend/routes/audit.py
-- =============================================================================

CREATE TABLE IF NOT EXISTS ja4_processing.audit_logs
(
    `timestamp`    DateTime                   DEFAULT now(),
    `user_name`    LowCardinality(String)     DEFAULT 'soc_user',
    `action`       LowCardinality(String),
    `entity_type`  LowCardinality(String)     DEFAULT '',
    `entity_id`    String                     DEFAULT '',
    `entity_count` UInt32                     DEFAULT 0,
    `details`      String CODEC(ZSTD(3))      DEFAULT '',
    `client_ip`    String                     DEFAULT ''
)
ENGINE = MergeTree
PARTITION BY toDate(timestamp)
ORDER BY (timestamp, user_name, action)
TTL toDate(timestamp) + INTERVAL 90 DAY
SETTINGS index_granularity = 8192;