{"ip":"102.220.160.41","exported_at":"2026-07-18T12:22:51+00:00","period_days":7,"metrics":{"events7d":43,"distinct_ports":8,"distinct_classifications":3,"max_severity":5,"last_sensor_id":"paris-1","max_waf_score":0,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.77,"risk_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":40,"protocol":43,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":103,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 40\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":40,"protocol":43,"novelty":15,"risk_score":40},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":77,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80","protocol_details":{"http_method":"CONNECT","http_path":"102.220.160.41:80","request_line":"CONNECT 102.220.160.41:80 HTTP\/1.1","port":9080,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"CONNECT 102.220.160.41:80 \u00b7 HTTP:9080","evidence_snippet":"CONNECT 102.220.160.41:80 HTTP\/1.0\r\nHost: 102.220.160.41:80\r\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=","target_port_label":"9080 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 77 % \u2014 Score WAF 8","classification_reason":"Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%","classification_reason_label_fr":"Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%","confidence_factors_fr":"Confiance 77 % \u2014 Score WAF 8","payload_preview":"CONNECT 102.220.160.41:80 HTTP\/1.0\r\nHost: 102.220.160.41:80\r\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE="},"events":[{"id":12515873,"ip":"102.220.160.41","ts":"2026-07-16 13:26:17.000000","proto":"tcp","src_port":55412,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.151274257651068, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c17036d1d906d46b0084dac3a85c68a\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eebd929a53e4961a1eace778a31db3cffe2485ab\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dHMzOnBhc3N3b3JkQDE=\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12515403,"ip":"102.220.160.41","ts":"2026-07-16 13:14:38.000000","proto":"tcp","src_port":40454,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.1831912806028315, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b31c68c8bf757482044dc4bbb08eb0bb\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246516962aec0cef919cb18fa78baadd707299061\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12512079,"ip":"102.220.160.41","ts":"2026-07-16 13:03:17.000000","proto":"tcp","src_port":22904,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.271897248761129, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002262acb2645547442e7b1d5a77424d7f9a\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022492f3baf37286ad418f7fb68b41bfb2cf4ee9349\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpXaW53YXkyMDIw\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12511693,"ip":"102.220.160.41","ts":"2026-07-16 12:52:15.000000","proto":"tcp","src_port":37228,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 4.881245779594973, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0ea694ffbb321b2da50b12a5fc4be6c\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ec507c321ac94067fd618e1e03ac1e1959e0d27\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODg4ODo4ODg4\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":102},{"id":12509928,"ip":"102.220.160.41","ts":"2026-07-16 12:40:54.000000","proto":"tcp","src_port":10112,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.034897680573389, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a0bd584404548225102a9205859ed20a\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222dfdcfd91cbc555b73f7ce2a8522ced8e622e7a9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":12507874,"ip":"102.220.160.41","ts":"2026-07-16 12:29:52.000000","proto":"tcp","src_port":17388,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 108, \u0022payload_entropy\u0022: 4.950942943075708, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228c57f6392493fe46f617d45a36329462\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d7170fe025f1653d23a50dac348546ea03da29b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4=\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":108},{"id":12361858,"ip":"102.220.160.41","ts":"2026-07-16 03:04:31.000000","proto":"tcp","src_port":11232,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 3.9721634603655405, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225dac21f7c764e3d10b79739061baba4f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280b9263ff66cf4924fbc43361fac14b5e83056e2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":36},{"id":12361397,"ip":"102.220.160.41","ts":"2026-07-16 02:54:48.000000","proto":"tcp","src_port":18174,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 100, \u0022payload_entropy\u0022: 4.916594720661043, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f475ba4c52a18a249297a6061b0d1c0e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a6dfce4ea6fc02e664dbf9575d9b8ac08077c93f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cGM6cGM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":100},{"id":12361029,"ip":"102.220.160.41","ts":"2026-07-16 02:46:16.000000","proto":"tcp","src_port":46392,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.034897680573389, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a0bd584404548225102a9205859ed20a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f2ff2cd070b224d639b28ebd829f3bdd966ccd01\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dXNlcjpwYXNz\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":104},{"id":12357578,"ip":"102.220.160.41","ts":"2026-07-16 02:37:16.000000","proto":"tcp","src_port":40530,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 108, \u0022payload_entropy\u0022: 5.147805210935335, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022abd32e717f153d3f961332df81b99f22\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226433ee078e419e873271f529b6b1f7af4f045f6d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDphZG1pbg==\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":108},{"id":12343027,"ip":"102.220.160.41","ts":"2026-07-16 01:47:10.000000","proto":"tcp","src_port":57400,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 61, \u0022payload_entropy\u0022: 4.068331904241498, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002250cdbd31a3f842a22c267e7cb3e22aba\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022499cc4d355775b685fb8333c5b1b880a1675da0b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":61},{"id":12342557,"ip":"102.220.160.41","ts":"2026-07-16 01:38:38.000000","proto":"tcp","src_port":41384,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.303362138353385, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022db63e711b6d8e190e598c221cf25b84f\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d65bae253a77038142e9ce0b3c97f4ea9f4bc54\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpLb3Vyb3NoQDIwMDk=\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":116},{"id":12338673,"ip":"102.220.160.41","ts":"2026-07-16 01:30:21.000000","proto":"tcp","src_port":47720,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.1831912806028315, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b31c68c8bf757482044dc4bbb08eb0bb\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246516962aec0cef919cb18fa78baadd707299061\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YmViZXRvOmJlYmV0bw==\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12329786,"ip":"102.220.160.41","ts":"2026-07-16 01:21:05.000000","proto":"tcp","src_port":63370,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.159112119781225, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022c93760dd5a18da1939d802a275d1214ac1ef976b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227d16da2b4053a2a7c34b9b834b7557ea\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226dc70b6b2c0e1969566fee74df7f02ab6ad04afc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic Y3JtOkFhMTIzNDU2QA==\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12255580,"ip":"102.220.160.41","ts":"2026-07-15 20:57:43.000000","proto":"tcp","src_port":62832,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.072587570219756, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ca69d09063ce6e087dd6ae731434dbc2\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de072b1973676aa41ad1cd74f57a286ca461e0a7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dWJ1bnR1OnBhc3MxMjM0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":112},{"id":12251402,"ip":"102.220.160.41","ts":"2026-07-15 20:50:00.000000","proto":"tcp","src_port":24994,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 3.9721634603655405, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225dac21f7c764e3d10b79739061baba4f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280b9263ff66cf4924fbc43361fac14b5e83056e2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":36},{"id":12248094,"ip":"102.220.160.41","ts":"2026-07-15 20:42:32.000000","proto":"tcp","src_port":35230,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.215578605200157, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a44f33b92d8f9e630420fa50ee77c302\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022731503a26c9f44b50a2fc6e90148d5ff43298110\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46U3VwZXIxMjM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12247800,"ip":"102.220.160.41","ts":"2026-07-15 20:35:12.000000","proto":"tcp","src_port":27240,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 3.9721634603655405, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225dac21f7c764e3d10b79739061baba4f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280b9263ff66cf4924fbc43361fac14b5e83056e2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":36},{"id":12244516,"ip":"102.220.160.41","ts":"2026-07-15 20:28:00.000000","proto":"tcp","src_port":45548,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.107928248970055, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bdba9783d625bd12177b89f731317c67\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cc327cf357e9317efec6e6a74c9e54ea4a49e2ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic YWRtaW46MTkwOTE5NzU=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":112},{"id":11542986,"ip":"102.220.160.41","ts":"2026-07-13 02:33:08.000000","proto":"tcp","src_port":57948,"dst_port":18419,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.208902117620266, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 18419, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022796981cbf49dc4c266b829299ded31cb26df0323\u0022, \u0022event_fingerprint\u0022: \u00223ab731fb1db42f5c2e80585ade47eefb776931d4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d1c29c40a855e04e53fb537bc57801b0\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b750dfbbad16b251fab9c229a2e46633b6b42610\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 18419, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic b3JhY2xlOnF3ZXJ0eTEyMw==\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002218419\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":116},{"id":11542749,"ip":"102.220.160.41","ts":"2026-07-13 02:26:36.000000","proto":"tcp","src_port":49720,"dst_port":18419,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 132, \u0022payload_entropy\u0022: 5.34926078038068, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 18419, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022796981cbf49dc4c266b829299ded31cb26df0323\u0022, \u0022event_fingerprint\u0022: \u00223ab731fb1db42f5c2e80585ade47eefb776931d4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002232fa464a27d6397f3865ccb774a76b5b\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022452dcef8a817f6046b14fe151ad6854e3fd89298\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 18419, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic bG9jYWxob3N0Om1Gd09IQVlpYndPZEREY1ZKWGVC\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002218419\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":132},{"id":11542515,"ip":"102.220.160.41","ts":"2026-07-13 02:21:26.000000","proto":"tcp","src_port":24080,"dst_port":18419,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.077831735426223, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 18419, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022796981cbf49dc4c266b829299ded31cb26df0323\u0022, \u0022event_fingerprint\u0022: \u00223ab731fb1db42f5c2e80585ade47eefb776931d4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d52c3fad64f52735c03bddcd537d0bb\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022656e0087b62ace2721cfc0f0358df131460964f1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 18419, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 18419, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:18419 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTIzNDU2OjY1NDMyMQ==\u0022, \u0022target_port_label\u0022: \u002218419 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002218419\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":11513901,"ip":"102.220.160.41","ts":"2026-07-12 23:49:28.000000","proto":"tcp","src_port":55922,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513893,"ip":"102.220.160.41","ts":"2026-07-12 23:49:17.000000","proto":"tcp","src_port":49888,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513889,"ip":"102.220.160.41","ts":"2026-07-12 23:49:05.000000","proto":"tcp","src_port":53828,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513876,"ip":"102.220.160.41","ts":"2026-07-12 23:48:46.000000","proto":"tcp","src_port":21870,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513874,"ip":"102.220.160.41","ts":"2026-07-12 23:48:38.000000","proto":"tcp","src_port":21858,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513865,"ip":"102.220.160.41","ts":"2026-07-12 23:48:17.000000","proto":"tcp","src_port":61376,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513863,"ip":"102.220.160.41","ts":"2026-07-12 23:48:11.000000","proto":"tcp","src_port":20958,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513832,"ip":"102.220.160.41","ts":"2026-07-12 23:47:38.000000","proto":"tcp","src_port":31426,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513814,"ip":"102.220.160.41","ts":"2026-07-12 23:47:07.000000","proto":"tcp","src_port":37100,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513794,"ip":"102.220.160.41","ts":"2026-07-12 23:46:30.000000","proto":"tcp","src_port":24042,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513766,"ip":"102.220.160.41","ts":"2026-07-12 23:45:49.000000","proto":"tcp","src_port":13778,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513756,"ip":"102.220.160.41","ts":"2026-07-12 23:45:15.000000","proto":"tcp","src_port":56428,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11513752,"ip":"102.220.160.41","ts":"2026-07-12 23:45:06.000000","proto":"tcp","src_port":26280,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":11512935,"ip":"102.220.160.41","ts":"2026-07-12 23:23:37.000000","proto":"tcp","src_port":30302,"dst_port":11530,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 3.9721634603655405, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 11530, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9bdaf80b800900b86bbfee1fe3d1d06792804\u0022, \u0022event_fingerprint\u0022: \u002282f6f91ca4107d877df2f0023199fd6e196678d3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225dac21f7c764e3d10b79739061baba4f\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 11530, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002201679f30a2759a7e205723adcdcb67db4e96a61d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 11530, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:11530 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u002211530 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 11530, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 11530, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:11530 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u002211530 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211530\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":11438911,"ip":"102.220.160.41","ts":"2026-07-12 16:01:18.000000","proto":"tcp","src_port":11584,"dst_port":4145,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.007670128785223, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 4145, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7155fae81de512c7b7d514b1aa03dbca2ba0121\u0022, \u0022event_fingerprint\u0022: \u002253cd9ae324fb62e1ebfc04fb80a8da228231e2d1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223043787140654a242a39f5da38a72b8b\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b7b303697379019c049edecaa526b848e85dd35\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4145, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpyb290\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224145\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":11438667,"ip":"102.220.160.41","ts":"2026-07-12 15:55:02.000000","proto":"tcp","src_port":36598,"dst_port":4145,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 4.9935554073971415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 4145, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7155fae81de512c7b7d514b1aa03dbca2ba0121\u0022, \u0022event_fingerprint\u0022: \u002253cd9ae324fb62e1ebfc04fb80a8da228231e2d1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022235f1d9b0499a35b50ae332c71e0a0e4\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022824bc9ed190275bf6ac3cf56f192b3aa8d94e650\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4145, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224145\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":11438387,"ip":"102.220.160.41","ts":"2026-07-12 15:48:49.000000","proto":"tcp","src_port":24416,"dst_port":4145,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 96, \u0022payload_entropy\u0022: 4.813388283228295, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 4145, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7155fae81de512c7b7d514b1aa03dbca2ba0121\u0022, \u0022event_fingerprint\u0022: \u002253cd9ae324fb62e1ebfc04fb80a8da228231e2d1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9ba7bb54453e2ce7d4c70214bc2cd9b\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226bc3f55877c5ec4625e4dacd42a49e477b5c4d2b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4145, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic MTox\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224145\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":96},{"id":11438070,"ip":"102.220.160.41","ts":"2026-07-12 15:40:34.000000","proto":"tcp","src_port":18808,"dst_port":4145,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 4.939952459602933, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 4145, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7155fae81de512c7b7d514b1aa03dbca2ba0121\u0022, \u0022event_fingerprint\u0022: \u002253cd9ae324fb62e1ebfc04fb80a8da228231e2d1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c61509d4f58664acf495d315fd5da6e3\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002275aa538e0093c2f17e9b6b4c604014bde207a06e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4145, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 4145, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:4145 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022target_port_label\u0022: \u00224145 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224145\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":11425158,"ip":"102.220.160.41","ts":"2026-07-12 14:24:03.000000","proto":"tcp","src_port":61484,"dst_port":5685,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.176302870498559, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 5685, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229bb0cbc237f6a7e3c5cb334599125809c70b1f2d\u0022, \u0022event_fingerprint\u0022: \u00225d83c27cfcab4c3cdd84b190a916bd195789fa3a\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c1646b30780ed282886441e1fdec61b2\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229fb3c3b84d1d7430efc47889f86fa6f35ed78bc0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5685 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00225685 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5685, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5685 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpvcHIvZTl1eHB4OA==\u0022, \u0022target_port_label\u0022: \u00225685 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225685\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":116},{"id":11424834,"ip":"102.220.160.41","ts":"2026-07-12 14:16:10.000000","proto":"tcp","src_port":39610,"dst_port":5685,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.235094414191955, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 5685, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229bb0cbc237f6a7e3c5cb334599125809c70b1f2d\u0022, \u0022event_fingerprint\u0022: \u00225d83c27cfcab4c3cdd84b190a916bd195789fa3a\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002252160702fc0d92108c79c896f10361b9\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229ab773bd5690114df496dc76bddb4636ae6ac21a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5685 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00225685 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5685, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 5685, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5685 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic cm9vdDpBZG1pbkAxMjM0NTY=\u0022, \u0022target_port_label\u0022: \u00225685 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225685\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":116},{"id":11278426,"ip":"102.220.160.41","ts":"2026-07-12 01:39:14.000000","proto":"tcp","src_port":18300,"dst_port":9169,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.41:80","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002241:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_target_hash\u0022: \u00221ae4dddf987547e03d0ae65749ef26fb681cc41f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 4.9935554073971415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9169, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296a23576b1606ebdbd15d82f203c4cec35408ad9\u0022, \u0022event_fingerprint\u0022: \u0022e50dd52c05c413c2bc1f789465342d58d6f954df\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022235f1d9b0499a35b50ae332c71e0a0e4\u0022, \u0022path_pattern_hash\u0022: \u0022c22a2fc23ff7402dc06e6e0ecab6af1c\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022da9f7b9f4527f475ac0ba82e1b88d5f04bffc9f8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022target_port_label\u0022: \u00229169 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9169, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.41:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.1\u0022, \u0022port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.41:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.41:80 HTTP\/1.0\\r\\nHost: 102.220.160.41:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022target_port_label\u0022: \u00229169 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229169\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.41:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":104}],"total_events":43}