{"ip":"111.228.50.25","exported_at":"2026-06-20T01:28:38+00:00","period_days":30,"metrics":{"events7d":109,"distinct_ports":28,"distinct_classifications":8,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":38,"max_risk_score":64,"attack_stage":"recon","attack_chain_stage":"reconnaissance","threat_family":["scanner"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":0,"protocol":40,"novelty":25},"mitre_tactics":["TA0043"],"mitre_technique":"T1046","top_mitre_technique":"T1046","top_mitre_count":92,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)","campaign_hint_fr":"Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte","confidence_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":0,"protocol":40,"novelty":25,"risk_score":51,"correlation_boost":19},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["campagne_ports","multi_protocol_correlation"],"correlation_flags_labels_fr":["Campagne multi-ports","Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +19","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["MITRE-T1046","SIGMA-net-port-scan","Beh Scan Burst","Beh Multi Port 60S"],"tags_summary":["MITRE-T1046","SIGMA-net-port-scan","INT-beh-scan-burst","INT-beh-multi-port-60s"],"attack_vector":"port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)","protocol_details":{"payload_preview":"GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1","port":6443,"service":"k8s-api","service_label_fr":"K8S API"},"protocol_summary_fr":"Payload GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent:\u2026 \u00b7 K8S API:6443","evidence_snippet":"GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1","target_port_label":"6443 \u00b7 K8S API","emulator_service":"k8s-api","confidence_reason":"Confiance 100 % \u2014 6 signal(aux) capteur","classification_reason":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19","payload_preview":"GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1"},"events":[{"id":9231343,"ip":"111.228.50.25","ts":"2026-06-15 15:35:05.000000","proto":"tcp","src_port":54100,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 275, \u0022payload_entropy\u0022: 5.270704449602365, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022035bebebeb33b8eabd5c3826c4834dd21e0c44c6\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229609e8106d6ab1d7e632d47c6ee2bc21\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022request_sample\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.bing.com\/\\r\\nCo\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.bing.com\/\\r\\nCo\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022203ace0f4368292fa5593d6131817ad2de28240c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":275},{"id":9231345,"ip":"111.228.50.25","ts":"2026-06-15 15:35:05.000000","proto":"tcp","src_port":54108,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 333, \u0022payload_entropy\u0022: 5.398185087845876, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0341\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022ES admin GET\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0341\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c1db82bcc09e7dbafe28eae5d1d9fb4d\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 \u0022, \u0022request_sample\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002287d30a3cdc6f250ed90974eb5ba061d2514229c7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":333},{"id":9231347,"ip":"111.228.50.25","ts":"2026-06-15 15:35:05.000000","proto":"tcp","src_port":54112,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 316, \u0022payload_entropy\u0022: 5.453033047689584, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222e6e59e999793247b159f232f5a5fd76682722c2\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225a8ae9d6cd5b7a1e5dc32f3dbc122c99\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022request_sample\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: i\u0022, \u0022payload_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: i\u0022, \u0022payload_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225618f546d5962c5547798ab323be520b63244555\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022tor_exit_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":316},{"id":9231349,"ip":"111.228.50.25","ts":"2026-06-15 15:35:05.000000","proto":"tcp","src_port":54088,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 5.387386729302599, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228a669c0253fc521cf4eae479ca01eea0\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022request_sample\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bccfc94a6b4775302383df8fc13aec56bc57129e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":331},{"id":9231330,"ip":"111.228.50.25","ts":"2026-06-15 15:35:04.000000","proto":"tcp","src_port":54054,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.2764831000105366, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022779b413768864c7b9c97862a39322b83a3bf76f5\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002243a5a8d0d772d85b60a11dadadec6b14\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022request_sample\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d22e9753b50c3dff71b5bda5ce74371a7cad26f1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":267},{"id":9231333,"ip":"111.228.50.25","ts":"2026-06-15 15:35:04.000000","proto":"tcp","src_port":54064,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.430547952960944, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002223942034703f561fec33b8f9b0d238a1\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\u0022, \u0022request_sample\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: iden\u0022, \u0022payload_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: iden\u0022, \u0022payload_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa0725ca83f602a242891082fc4acb85f53d6d11\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":317},{"id":9231336,"ip":"111.228.50.25","ts":"2026-06-15 15:35:04.000000","proto":"tcp","src_port":54072,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 321, \u0022payload_entropy\u0022: 5.435384777412616, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229fd7af0f581c874b9adbab0d28155d0d\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022request_sample\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bb269d4221760b692dcb51353fd08f9c2027515b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":321},{"id":9231339,"ip":"111.228.50.25","ts":"2026-06-15 15:35:04.000000","proto":"tcp","src_port":54074,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 323, \u0022payload_entropy\u0022: 5.417432427291201, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221a859093e8f052bb9a0b268660aec47b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022request_sample\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022724746f9b35d5224e4b21a15fdd7b8d8dd645c89\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":323},{"id":9231318,"ip":"111.228.50.25","ts":"2026-06-15 15:35:03.000000","proto":"tcp","src_port":53996,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.443370691732385, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002201351afb7d57e47bbef807beb61822f0\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022request_sample\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: id\u0022, \u0022payload_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: id\u0022, \u0022payload_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f68ea6cf1bf49526d2a8017f6db5998339448668\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":317},{"id":9231319,"ip":"111.228.50.25","ts":"2026-06-15 15:35:03.000000","proto":"tcp","src_port":54012,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 343, \u0022payload_entropy\u0022: 5.408586760177861, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fdc9e0154e44721cd6ee76e8150b881d\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b1459c24caa81038d717d973f3cfc1159d658bcf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":343},{"id":9231321,"ip":"111.228.50.25","ts":"2026-06-15 15:35:03.000000","proto":"tcp","src_port":54022,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.30277842380619, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022035bebebeb33b8eabd5c3826c4834dd21e0c44c6\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 933111\u0022, \u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4dd252b2df871892781a8a15ba5fad0\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022request_sample\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002225f1a950cf0e03c3d231a613351a4950c7ab973a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":264},{"id":9231323,"ip":"111.228.50.25","ts":"2026-06-15 15:35:03.000000","proto":"tcp","src_port":54038,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 346, \u0022payload_entropy\u0022: 5.432094518438787, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 933111\u0022, \u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229a8703ec9e7f081864b6a623bc8ce11b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022request_sample\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en\u0022, \u0022payload_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en\u0022, \u0022payload_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c69a165346c8178881e9793f6979a0a9fa4a70ed\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022, \u0022redis_config_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":346},{"id":9231328,"ip":"111.228.50.25","ts":"2026-06-15 15:35:03.000000","proto":"tcp","src_port":54044,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.303303614388706, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022779b413768864c7b9c97862a39322b83a3bf76f5\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022999cd521566a6ee8b988cfdce2d68673\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022request_sample\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226928e680340d5991d07320f06717868a7022bc96\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":257},{"id":9231300,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43820,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":25,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/app.ini","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ini\u0022, \u0022http_ua_hash\u0022: \u002261b2fb88348adb0c454f69364a0bf16d1c9d26e5\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022b6d5fdee24cfea7a2c978babc77ece80be9123d9\u0022, \u0022http_referer_hash\u0022: \u00227c774392df25c0990a337dc8b862b783cd881b51\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 344, \u0022payload_entropy\u0022: 5.410698356252914, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222ecea77cc80e22c2333374cdb930c0a2f0b705fb\u0022, \u0022event_fingerprint\u0022: \u002246c328780cd40ab42544782f0d388d36b732a795\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dbab6c4c65f4e975e43617cd246fbb8c\u0022, \u0022payload_hash\u0022: \u0022cbdbbbef04363c6c18db662111d3eef8\u0022, \u0022path_pattern_hash\u0022: \u002225fbf2e88fdb756ed2c34b457498f42d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/app.ini\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/app.ini\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022933de343f3911fb565b677570efece920c3b0492\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/app.ini\u0022, \u0022request_line\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/app.ini\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/app.ini\u0022, \u0022request_line\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/app.ini\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/app.ini HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36","http_referer":"https:\/\/www.bing.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":344},{"id":9231301,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43832,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/status","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022ae09ca118a34f21eadeb922152bc0d66d5b1783f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022af24ddb2864923603b3fa1d79a557e18e6080953\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.243697525643594, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022ab9fd5b4596e9d3426702fc99c3c20d4fc8cf11b\u0022, \u0022event_fingerprint\u0022: \u00228002dbcdce8d628b0e62a91500fadfc84e28a6ab\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bcea973b42c25e2780c70435dae7b4a0\u0022, \u0022payload_hash\u0022: \u00221c6bbbcdd88db6a3859443a97894e131\u0022, \u0022path_pattern_hash\u0022: \u0022ae4267a01f1269fbbf4824d26cf3bb22\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,applica\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/status\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/status HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,applica\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/status\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/status HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,applica\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre\u0022: \u0022TA0043\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d07ee2b8e5a17f27b5986732a94438ccbf41840c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/status\u0022, \u0022request_line\u0022: \u0022GET \/status HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,applica\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/status\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0043\u0022, \u0022mitre_technique\u0022: \u0022TA0043\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/status\u0022, \u0022request_line\u0022: \u0022GET \/status HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/status\u0022, \u0022evidence_snippet\u0022: \u0022GET \/status HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,applica\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_status\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"python-requests\/2.32.3","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_status\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":265},{"id":9231306,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43840,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web.config","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022config\u0022, \u0022http_ua_hash\u0022: \u0022880d0c120dbf4497314046742f2cb6dbd4be704d\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022fb61e36fe9095535f127e3353d957f1c1310e8e9\u0022, \u0022http_referer_hash\u0022: \u0022595c3cce2409a55c13076f1bac5edee529fc2e58\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 321, \u0022payload_entropy\u0022: 5.422450715104411, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022480b9acad89211481263cecadf14486b162a31f1\u0022, \u0022event_fingerprint\u0022: \u0022471e4385442f4b960146578510a7bcb25af0e0c2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0120\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI IIS web.config\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0120\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a59685e43b0ef4fb9f3e6765d2231094\u0022, \u0022payload_hash\u0022: \u0022a4d954522fa64a4d30c97478a120b51a\u0022, \u0022path_pattern_hash\u0022: \u00220913647d7e838cdd727ceda37a671f37\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web.config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web.config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web.config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web.config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228ec0f39a02a489f5019b2c52e40ede8f136bfa5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web.config\u0022, \u0022request_line\u0022: \u0022GET \/web.config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web.config\u0022, \u0022request_line\u0022: \u0022GET \/web.config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0","http_referer":"https:\/\/www.google.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":321},{"id":9231307,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43776,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":30,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/config.php.bak","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u00222de5c12e398bc6e09d9f64dfa317a27082e393cf\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022f4e5344862db3f007de9149164d79b088f516034\u0022, \u0022http_referer_hash\u0022: \u0022595c3cce2409a55c13076f1bac5edee529fc2e58\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.268599614681096, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222e57ce9b6ff812a2def72410239e408b42355d7b\u0022, \u0022event_fingerprint\u0022: \u0022a51dc13fbf729da578340fa86f2277ac995b989d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0118\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 933111\u0022, \u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022LFI Generic config.php\u0022], \u0022pattern_ids\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0118\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002207d1d539047ef01990ffd8266d015775\u0022, \u0022payload_hash\u0022: \u0022282fba46d7d623912de0ef9ecf7452c7\u0022, \u0022path_pattern_hash\u0022: \u0022456c6182b7d24690c48a4170c38e6d4b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config.php.bak\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-8\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/config.php.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.google.com\/\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config.php.bak\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-8\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/config.php.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.google.com\/\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251c2b1f77111326b3f01964ae6391d8e58ef6b6c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config.php.bak\u0022, \u0022request_line\u0022: \u0022GET \/config.php.bak HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php.bak\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config.php.bak\u0022, \u0022request_line\u0022: \u0022GET \/config.php.bak HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php.bak\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"curl\/8.5.0","http_referer":"https:\/\/www.google.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950521:leak-8\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":265},{"id":9231309,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43854,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/docs\/api.html","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022html\u0022, \u0022http_ua_hash\u0022: \u00222de5c12e398bc6e09d9f64dfa317a27082e393cf\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022383380ff23d44e26157e64c10e7b30efe48f3e03\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.235070332716683, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022244aeb3457260b8becfb01c5a8288c41144d3bc9\u0022, \u0022event_fingerprint\u0022: \u00228b09c0697b4eb17939968830b5f06bf339843d1b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002207d1d539047ef01990ffd8266d015775\u0022, \u0022payload_hash\u0022: \u0022d891f8cef5d338fc9d79e49d65d08480\u0022, \u0022path_pattern_hash\u0022: \u0022dff9ab91d824ba80eda0b5e6e8fb168b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/docs\/api.html\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/docs\/api.html\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229771dd7ae851f51da285614f298ab0890136cb8d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/docs\/api.html\u0022, \u0022request_line\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/docs\/api.html\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/docs\/api.html\u0022, \u0022request_line\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/docs\/api.html\u0022, \u0022evidence_snippet\u0022: \u0022GET \/docs\/api.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"curl\/8.5.0","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":260},{"id":9231313,"ip":"111.228.50.25","ts":"2026-06-15 15:35:02.000000","proto":"tcp","src_port":43866,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":33,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950519:leak-6\u0022]","http_method":"GET","http_target":"\/.svn\/entries","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022svn\/entries\u0022, \u0022http_ua_hash\u0022: \u0022880d0c120dbf4497314046742f2cb6dbd4be704d\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022fec28f2e1aabccf1f7e02d7f5d2dd9dd95703725\u0022, \u0022http_referer_hash\u0022: \u00227c774392df25c0990a337dc8b862b783cd881b51\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 321, \u0022payload_entropy\u0022: 5.420619350654567, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222853b1b9e1e6529091a7863991bd0e13419e6e88\u0022, \u0022event_fingerprint\u0022: \u0022cd8cd522126d4b77a53b242af565821cf5ffad0c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0750\u0022, \u0022pat-0201\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022ET .svn entries\u0022, \u0022Probe \/.svn\/entries\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0750\u0022, \u0022pat-0201\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a59685e43b0ef4fb9f3e6765d2231094\u0022, \u0022payload_hash\u0022: \u0022e7b633030a26291179c9b4b1151ed5cc\u0022, \u0022path_pattern_hash\u0022: \u0022a8bfcf5717c2407f76d3bb4e6b62379c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.svn\/entries\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950519:leak-6\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-6\u0022], \u0022request_line\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.svn\/entries\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950519:leak-6\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-6\u0022], \u0022request_line\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022919376342aae9b6e9b8bfe6a32965ad9085cbaad\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.svn\/entries\u0022, \u0022request_line\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.svn\/entries\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.svn\/entries\u0022, \u0022request_line\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.svn\/entries\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.svn\/entries HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950519:leak-6\u0022, \u0022http_probe_svn\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0","http_referer":"https:\/\/www.bing.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950519:leak-6\u0022, \u0022http_probe_svn\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":321},{"id":9231286,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43748,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/info.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022ae09ca118a34f21eadeb922152bc0d66d5b1783f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022068dbe886744caa8c17ff08053d93aa8001f5bdd\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.247732935937935, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022973d8923003acbae0aa82479b53e1238c798b4d6\u0022, \u0022event_fingerprint\u0022: \u0022801b2067e2b5997b78fd77194cebadea3623620b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bcea973b42c25e2780c70435dae7b4a0\u0022, \u0022payload_hash\u0022: \u0022462fe63375e2b63ec192a0fda3f64685\u0022, \u0022path_pattern_hash\u0022: \u0022f698c64f9b430a098de679bb708946c6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/info.php\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/info.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/info.php\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/info.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3bdf38b231931164ebd1fa2474e2ddc823323db\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/info.php\u0022, \u0022request_line\u0022: \u0022GET \/info.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/info.php\u0022, \u0022request_line\u0022: \u0022GET \/info.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/info.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appli\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"python-requests\/2.32.3","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":267},{"id":9231287,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43750,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/backup.zip","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022zip\u0022, \u0022http_ua_hash\u0022: \u0022ae09ca118a34f21eadeb922152bc0d66d5b1783f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022120464334a09253351ef1d72ea024ff0a6ce1548\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 269, \u0022payload_entropy\u0022: 5.284299667012065, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00224eb9335ba3e8b3d6a35396ef13f699feea9903ba\u0022, \u0022event_fingerprint\u0022: \u00222d1f12dc1ef0495e251da588ab79e27ba433b982\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0243\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/backup.zip\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0243\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bcea973b42c25e2780c70435dae7b4a0\u0022, \u0022payload_hash\u0022: \u002235723d5758915634484201e0502bd278\u0022, \u0022path_pattern_hash\u0022: \u0022971e61c28ff9d3ddfc07b15126d7c0c7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backup.zip\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/backup.zip HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backup.zip\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/backup.zip HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bcb68592f522a31af447fb17dfafa73e6576cd9a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backup.zip\u0022, \u0022request_line\u0022: \u0022GET \/backup.zip HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.zip\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backup.zip\u0022, \u0022request_line\u0022: \u0022GET \/backup.zip HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.zip\u0022, \u0022evidence_snippet\u0022: \u0022GET \/backup.zip HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_backup\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"python-requests\/2.32.3","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_probe_backup\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":269},{"id":9231288,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43758,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":38,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/wp-config.php.bak","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022bak\u0022, \u0022http_ua_hash\u0022: \u0022ae09ca118a34f21eadeb922152bc0d66d5b1783f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00220372d7102c333673ea0de9e60c73911cb60bfb5f\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.282361887540949, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002253a564063cba85bf67785aeb6f7d8225a00d51d9\u0022, \u0022event_fingerprint\u0022: \u0022c4565386bfc702aeff164f07dabda857b1b321ab\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0135\u0022, \u0022pat-0195\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 933111\u0022, \u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022LFI WordPress config backup\u0022, \u0022Probe \/wp-config.php\u0022], \u0022pattern_ids\u0022: [\u0022pat-0160\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0135\u0022, \u0022pat-0195\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bcea973b42c25e2780c70435dae7b4a0\u0022, \u0022payload_hash\u0022: \u00225f755c9d88c285e8bfa0d2372fb8cfb9\u0022, \u0022path_pattern_hash\u0022: \u0022c879a1d8584c2c545f6c6bb7a9f5a061\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-config.php.bak\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-5\u0022, \u0022leak-8\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-config.php.bak\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022950521:leak-8\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-5\u0022, \u0022leak-8\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002298128df8e8060837a3cc1cb07c9042d2678235cd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-config.php.bak\u0022, \u0022request_line\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-config.php.bak\u0022, \u0022request_line\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.php.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022950521:leak-8\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"python-requests\/2.32.3","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022950521:leak-8\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":276},{"id":9231289,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43764,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":33,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/.git\/config","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022880d0c120dbf4497314046742f2cb6dbd4be704d\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022e2f253eab0d0cf5422d24d22ae2a4954398768df\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 318, \u0022payload_entropy\u0022: 5.403064950713164, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002219db4ae60e75e7e2e3bfa777e6cacb614c6a1d85\u0022, \u0022event_fingerprint\u0022: \u0022df5851a413a7a9b921ef143a6764b6ce2d04b977\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0198\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022Probe \/.git\/config\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0198\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a59685e43b0ef4fb9f3e6765d2231094\u0022, \u0022payload_hash\u0022: \u00224e5df09dfc25ea57397960363df5e5fd\u0022, \u0022path_pattern_hash\u0022: \u00223ec26e4f0817b37785cd5e68fed88892\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002227790def224b7c3970509cdd65ce66f088e1c364\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":318},{"id":9231291,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43790,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/dump.sql","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022sql\u0022, \u0022http_ua_hash\u0022: \u002261b2fb88348adb0c454f69364a0bf16d1c9d26e5\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00221fc830e90e8ffa94d6b83234ae2ec2ba7b5108ba\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 336, \u0022payload_entropy\u0022: 5.436237011355969, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221bfedd9f5d1a6c3442d67e2e7356369026707b4f\u0022, \u0022event_fingerprint\u0022: \u00224c1f8f86bb76a57605fd33f971bde8d40f0c54b9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0132\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI SQL dump file\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0132\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dbab6c4c65f4e975e43617cd246fbb8c\u0022, \u0022payload_hash\u0022: \u00220a6036cbaffeed6c001a70634c166261\u0022, \u0022path_pattern_hash\u0022: \u00222debf0ced7dd0a1204edf7447a578b8e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dump.sql\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/dump.sql HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\u0022, \u0022payload_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dump.sql\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/dump.sql HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\u0022, \u0022payload_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228db1f1881699ac8b21e9d2c3dd76e7584f79bdc7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dump.sql\u0022, \u0022request_line\u0022: \u0022GET \/dump.sql HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dump.sql\u0022, \u0022request_line\u0022: \u0022GET \/dump.sql HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dump.sql HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_backup_file_scan\u0022, \u0022http_backup_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":336},{"id":9231292,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43806,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":30,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950520:leak-7\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/.DS_Store","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ds_store\u0022, \u0022http_ua_hash\u0022: \u0022ae09ca118a34f21eadeb922152bc0d66d5b1783f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00222eaf811e78c039402383e125deb093600a999e32\u0022, \u0022http_referer_hash\u0022: \u00227c774392df25c0990a337dc8b862b783cd881b51\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.305559752466207, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022f5bcc4f4408c18ddf1e1e57cf0d0f599e9f6bb63\u0022, \u0022event_fingerprint\u0022: \u002286140c3e66c554c9aab3afe4bb767b44e5af8824\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0196\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/.DS_Store\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0196\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bcea973b42c25e2780c70435dae7b4a0\u0022, \u0022payload_hash\u0022: \u0022503f31b07236f57576876a6caadf6f8f\u0022, \u0022path_pattern_hash\u0022: \u0022cdaaa22fe9af2e099c05c2fbe6285541\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.DS_Store\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950520:leak-7\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-7\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.DS_Store HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.bing.com\/\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.DS_Store\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950520:leak-7\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-7\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.DS_Store HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.bing.com\/\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appl\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220070d97b7465f5d1227346cbf7f528cb8fffdb2d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.DS_Store\u0022, \u0022request_line\u0022: \u0022GET \/.DS_Store HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appl\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.DS_Store\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.DS_Store\u0022, \u0022request_line\u0022: \u0022GET \/.DS_Store HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.3\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.DS_Store\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.DS_Store HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: python-requests\/2.32.3\\r\\nAccept: text\/html,application\/xhtml+xml,appl\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950520:leak-7\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"python-requests\/2.32.3","http_referer":"https:\/\/www.bing.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950520:leak-7\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":270},{"id":9231297,"ip":"111.228.50.25","ts":"2026-06-15 15:35:01.000000","proto":"tcp","src_port":43816,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/adminer.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022880d0c120dbf4497314046742f2cb6dbd4be704d\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00224c0ec463418ad15ed168b07340f8c568be1fd3ef\u0022, \u0022http_referer_hash\u0022: \u00227c774392df25c0990a337dc8b862b783cd881b51\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.430985715504859, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e215b4d2ac4e9220e2a64a6b4202e441ba797d24\u0022, \u0022event_fingerprint\u0022: \u002209cdac080a616c4a43f764ad7ae1dfb561967488\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0748\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022Sigma adminer\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0748\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a59685e43b0ef4fb9f3e6765d2231094\u0022, \u0022payload_hash\u0022: \u0022024ca74ba19cb0cfeb775f5cdd95d476\u0022, \u0022path_pattern_hash\u0022: \u00227c732b4d744fce86cfbfc82b8c70011c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/adminer.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/adminer.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/adminer.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/adminer.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding:\u0022, \u0022payload_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c9a0c8c734c9faa80c60bd8d92493c61f935c00\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/adminer.php\u0022, \u0022request_line\u0022: \u0022GET \/adminer.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/adminer.php\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/adminer.php\u0022, \u0022request_line\u0022: \u0022GET \/adminer.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/adminer.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/adminer.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_adminer\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0","http_referer":"https:\/\/www.bing.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_adminer\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":320},{"id":9231277,"ip":"111.228.50.25","ts":"2026-06-15 15:35:00.000000","proto":"tcp","src_port":50446,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":35,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950612:spring-actuator\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/actuator\/env","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00222de5c12e398bc6e09d9f64dfa317a27082e393cf\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022e32661bb9cbe8cb5f3660b341b6704d87fd4cb7c\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.2385147829663525, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00228d0b0054a277ec814eced141d1e71e43ffcde084\u0022, \u0022event_fingerprint\u0022: \u0022ef38e6702d2d417e3af70a803787f267c898a4f8\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0751\u0022, \u0022pat-0103\u0022, \u0022pat-0232\u0022, \u0022pat-0233\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022ET actuator env\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/actuator\u0022, \u0022Probe \/actuator\/env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0751\u0022, \u0022pat-0103\u0022, \u0022pat-0232\u0022, \u0022pat-0233\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002207d1d539047ef01990ffd8266d015775\u0022, \u0022payload_hash\u0022: \u00228691dbbf581c393fbb744b441b67bfe3\u0022, \u0022path_pattern_hash\u0022: \u002252616ac7327902d5e53f2c0d3ea46564\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/x\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/actuator\/env\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950612:spring-actuator\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022spring-actuator\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/actuator\/env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/x\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/actuator\/env\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950612:spring-actuator\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022spring-actuator\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/actuator\/env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/x\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4bc5ad807a9470cc65e0f93af6765c7c0a64295\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/actuator\/env\u0022, \u0022request_line\u0022: \u0022GET \/actuator\/env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/x\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/actuator\/env\u0022, \u0022request_line\u0022: \u0022GET \/actuator\/env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/x\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950612:spring-actuator\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_actuator_probe\u0022, \u0022http_actuator_spring_probe\u0022, \u0022http_probe_actuator\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"curl\/8.5.0","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950612:spring-actuator\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_actuator_probe\u0022, \u0022http_actuator_spring_probe\u0022, \u0022http_probe_actuator\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":259},{"id":9231279,"ip":"111.228.50.25","ts":"2026-06-15 15:35:00.000000","proto":"tcp","src_port":50478,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":25,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950614:phpinfo\u0022]","http_method":"GET","http_target":"\/phpinfo.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00226bbf2729b77d83a6b06d37536b29c49acc003ee1\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00221808fe5d8b86eb029606d3db28531c6ec6a82fb5\u0022, \u0022http_referer_hash\u0022: \u00227c774392df25c0990a337dc8b862b783cd881b51\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 331, \u0022payload_entropy\u0022: 5.397227598357327, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4884dcfa398e40a6f436223e395b7070efa8776\u0022, \u0022event_fingerprint\u0022: \u0022f03544bb1918115eef342dba9dc6ee2f62700e16\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022270d0df155109110f4b8961ca727937c\u0022, \u0022payload_hash\u0022: \u00228f871656abe480bd73c45d4a6a301f71\u0022, \u0022path_pattern_hash\u0022: \u0022a405682e93a85e32d41b3615cc2d6365\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpinfo.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950614:phpinfo\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022phpinfo\u0022], \u0022request_line\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpinfo.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950614:phpinfo\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022phpinfo\u0022], \u0022request_line\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f627472d1d1ffae69bf1fce6416c8a0c2c996e4c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpinfo.php\u0022, \u0022request_line\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpinfo.php\u0022, \u0022request_line\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950614:phpinfo\u0022, \u0022http_probe_phpinfo\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15","http_referer":"https:\/\/www.bing.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950614:phpinfo\u0022, \u0022http_probe_phpinfo\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":331},{"id":9231266,"ip":"111.228.50.25","ts":"2026-06-15 15:34:59.000000","proto":"tcp","src_port":50452,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":30,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/.env","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00222de5c12e398bc6e09d9f64dfa317a27082e393cf\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00229ee0d3f55b39072ba6bec6203d26e470be80afdc\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.249301690546548, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022d5c3948ec7b6dd317f7d8cc6a111ffee16187a19\u0022, \u0022event_fingerprint\u0022: \u00228a2fe31cf18283ee1184898bdb31081d3839d5a9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0191\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/.env\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0191\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002207d1d539047ef01990ffd8266d015775\u0022, \u0022payload_hash\u0022: \u0022f8486f05fb345849ec8adf706fb839f5\u0022, \u0022path_pattern_hash\u0022: \u0022aef81e7735de8f42b73e111497498c8b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.env\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/github.com\/\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dba5fe02aa02870686b09e5e8ecde5d042bf8e6c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.env\u0022, \u0022request_line\u0022: \u0022GET \/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.env\u0022, \u0022request_line\u0022: \u0022GET \/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_env\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"curl\/8.5.0","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_env\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":251},{"id":9231267,"ip":"111.228.50.25","ts":"2026-06-15 15:34:59.000000","proto":"tcp","src_port":50466,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/robots.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a436f6e74656e742d4c656e6774683a2032340d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a557365722d6167656e743a202a0a446973616c6c6f77\u0022, \u0022emulator_response_len\u0022: 130, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u00226bbf2729b77d83a6b06d37536b29c49acc003ee1\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022b7a9adb9fec4116c29da690c45d9a67df535af9d\u0022, \u0022http_referer_hash\u0022: \u0022595c3cce2409a55c13076f1bac5edee529fc2e58\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 332, \u0022payload_entropy\u0022: 5.389588181228561, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229585a195073a27e014a113facb4d0d764adf6c54\u0022, \u0022event_fingerprint\u0022: \u0022cc2111032008d2e949a36a0b84b1737a64811bc7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022270d0df155109110f4b8961ca727937c\u0022, \u0022payload_hash\u0022: \u00223f016c506638e56c9271161fe0bcbc7d\u0022, \u0022path_pattern_hash\u0022: \u0022adada1317532a28bebf63fe6edbea3e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/robots.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/robots.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/robots.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/robots.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre\u0022: \u0022TA0043\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223546d31fdac342028b259149e29612249b2ae10d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/robots.txt\u0022, \u0022request_line\u0022: \u0022GET \/robots.txt HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/robots.txt\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0043\u0022, \u0022mitre_technique\u0022: \u0022TA0043\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/robots.txt\u0022, \u0022request_line\u0022: \u0022GET \/robots.txt HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/robots.txt\u0022, \u0022evidence_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15","http_referer":"https:\/\/www.google.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":332},{"id":9231268,"ip":"111.228.50.25","ts":"2026-06-15 15:34:59.000000","proto":"tcp","src_port":50464,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/swagger-ui.html","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30\u0022, \u0022emulator_response_len\u0022: 222, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022html\u0022, \u0022http_ua_hash\u0022: \u002261b2fb88348adb0c454f69364a0bf16d1c9d26e5\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00220f5514f1110c12d9d5c0456d07668449b644af86\u0022, \u0022http_referer_hash\u0022: \u0022d7b3438d97f335e612a566a731eea5acb8fe83c8\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 343, \u0022payload_entropy\u0022: 5.434705083022426, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d0865531cc45c49f6541dfbf6b940906750493ec\u0022, \u0022event_fingerprint\u0022: \u0022f74f3faa9df699039279bdd97d947bb1c7a887e1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0752\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022ET swagger ui\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0752\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dbab6c4c65f4e975e43617cd246fbb8c\u0022, \u0022payload_hash\u0022: \u0022fdc2a14faff58a532f9c10ccabe1272f\u0022, \u0022path_pattern_hash\u0022: \u0022a22855a05d60774e49fb1f0a65374b33\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/swagger-ui.html\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,e\u0022, \u0022payload_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/swagger-ui.html\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,e\u0022, \u0022payload_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre\u0022: \u0022TA0043\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c8995d9a216a732283d40dd43f3e2332d28669f2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/swagger-ui.html\u0022, \u0022request_line\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/swagger-ui.html\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0043\u0022, \u0022mitre_technique\u0022: \u0022TA0043\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/swagger-ui.html\u0022, \u0022request_line\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/swagger-ui.html\u0022, \u0022evidence_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_swagger_probe\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36","http_referer":"https:\/\/github.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_swagger_probe\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":343},{"id":9231269,"ip":"111.228.50.25","ts":"2026-06-15 15:34:59.000000","proto":"tcp","src_port":50432,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":36,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/.git\/HEAD","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 7, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022git\/head\u0022, \u0022http_ua_hash\u0022: \u00222de5c12e398bc6e09d9f64dfa317a27082e393cf\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952\u0022, \u0022http_referer_hash\u0022: \u0022595c3cce2409a55c13076f1bac5edee529fc2e58\u0022, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.262131030836888, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002246d260f9212610a0792848a49aa653bdf7aa196a\u0022, \u0022event_fingerprint\u0022: \u0022be061d8c429761f92ac3224a5514c3305981fe0a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0749\u0022, \u0022pat-0103\u0022, \u0022pat-0197\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022ET .git HEAD\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/.git\/HEAD\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0749\u0022, \u0022pat-0103\u0022, \u0022pat-0197\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002207d1d539047ef01990ffd8266d015775\u0022, \u0022payload_hash\u0022: \u0022be8ff0944692955f9ca8f4ce8ea71042\u0022, \u0022path_pattern_hash\u0022: \u0022353579f4025217f1143d65b4213aaffa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/HEAD\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.google.com\/\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/HEAD\u0022, \u0022user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: identity\\r\\nReferer: https:\/\/www.google.com\/\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ecdd241bd8e26d6aadb24e91539d9d377858cc0b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/HEAD\u0022, \u0022request_line\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 19}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +19\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/HEAD\u0022, \u0022request_line\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.5.0\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: curl\/8.5.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 19, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"curl\/8.5.0","http_referer":"https:\/\/www.google.com\/","tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":10,"bytes_in":260},{"id":9231191,"ip":"111.228.50.25","ts":"2026-06-15 15:34:52.000000","proto":"tcp","src_port":47654,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 337, \u0022payload_entropy\u0022: 5.442776054317185, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a93419bdcb4d88bb916015b5c8a5423889f275f\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002284f1fca562cff61c02cf3b9f31c09ae5\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f394f534a5bb85ce0868b4a907ed0e1930ad36\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/HEAD HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 16, \u0022scan_velocity_ports_per_s\u0022: 3.33, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":337},{"id":9231180,"ip":"111.228.50.25","ts":"2026-06-15 15:34:51.000000","proto":"tcp","src_port":47656,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 334, \u0022payload_entropy\u0022: 5.400552178123538, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222f4101ce0bf8475e1a5dd4d5b951811b52e0a1d0\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002286c73fcad2162a14f4d25f3003ffc98c\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022request_sample\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAcce\u0022, \u0022payload_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAcce\u0022, \u0022payload_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f90871301f8662d72a573b5a152feb7317e7699\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/actuator\/env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 19, \u0022scan_velocity_ports_per_s\u0022: 3.93, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":334},{"id":9231181,"ip":"111.228.50.25","ts":"2026-06-15 15:34:51.000000","proto":"tcp","src_port":47670,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30\u0022, \u0022emulator_response_len\u0022: 222, \u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 5.437850323046344, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a93419bdcb4d88bb916015b5c8a5423889f275f\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220c943a31a44f28d29a4dfe7d34d4b1eb\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022request_sample\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,e\u0022, \u0022payload_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,e\u0022, \u0022payload_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229b20c2ee22e3a980a77125f2309fdd2168e24fcb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/swagger-ui.html HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 19, \u0022scan_velocity_ports_per_s\u0022: 3.92, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":345},{"id":9231183,"ip":"111.228.50.25","ts":"2026-06-15 15:34:51.000000","proto":"tcp","src_port":47676,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 339, \u0022payload_entropy\u0022: 5.418629300133763, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a93419bdcb4d88bb916015b5c8a5423889f275f\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220b689c37e2caf2bcfb922b3fd2de2562\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022request_sample\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022933897bc4a3fbfcb614fd307841d5afe2a09c16a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/phpinfo.php HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 19, \u0022scan_velocity_ports_per_s\u0022: 3.87, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":339},{"id":9231178,"ip":"111.228.50.25","ts":"2026-06-15 15:34:50.000000","proto":"tcp","src_port":47638,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a436f6e74656e742d4c656e6774683a2032340d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a557365722d6167656e743a202a0a446973616c6c6f77\u0022, \u0022emulator_response_len\u0022: 130, \u0022bytes_in\u0022: 319, \u0022payload_entropy\u0022: 5.438904132240789, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a93419bdcb4d88bb916015b5c8a5423889f275f\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022669bb47d380e8c7be67f6678b116ef0a\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022request_sample\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d9f61f475a9142c847ad1b3d1ca927725b29a194\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/robots.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 19, \u0022scan_velocity_ports_per_s\u0022: 3.96, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":319},{"id":9231179,"ip":"111.228.50.25","ts":"2026-06-15 15:34:50.000000","proto":"tcp","src_port":47646,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 336, \u0022payload_entropy\u0022: 5.426377878419762, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a93419bdcb4d88bb916015b5c8a5423889f275f\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002293db331e822c77d8e8c7da71fe43e690\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022request_sample\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002254977dd415b6fa1e7c54eebf5eaa3f98a102b7a1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 19, \u0022scan_velocity_ports_per_s\u0022: 3.95, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":336},{"id":9231144,"ip":"111.228.50.25","ts":"2026-06-15 15:34:48.000000","proto":"tcp","src_port":45596,"dst_port":15672,"service":"http","classification":"port_scan_syn","waf_score":10,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/overview","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u00221d611ed6b1ee0513f83afa61908355db8590a6fa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.7319984742599495, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 15672, \u0022risk_waf\u0022: 48.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 48.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002202457b60ea4e231bf6dfea74b5769c0df5619c40\u0022, \u0022event_fingerprint\u0022: \u0022000124bc4ef1e76abe7a49c220e988254f50bfc9\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 48.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8000b7777cba58b24f042676846c7bc\u0022, \u0022path_pattern_hash\u0022: \u0022f895a1ea84208a736ab1400709f45619\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/overview\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/overview HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/overview\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/overview HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221248cde5f051a5665f410ee7f26188688249bb94\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/overview\u0022, \u0022request_line\u0022: \u0022GET \/api\/overview HTTP\/1.1\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 48.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 15672, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/overview\u0022, \u0022request_line\u0022: \u0022GET \/api\/overview HTTP\/1.1\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/overview HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 48 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215672\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 20, \u0022scan_velocity_ports_per_s\u0022: 5.95, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":null,"http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":5,"bytes_in":67},{"id":9231145,"ip":"111.228.50.25","ts":"2026-06-15 15:34:48.000000","proto":"tcp","src_port":57886,"dst_port":5672,"service":"amqp","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022414d515000000901010000000000000e000a000b000000000000000000\u0022, \u0022emulator_response_len\u0022: 29, \u0022bytes_in\u0022: 8, \u0022payload_entropy\u0022: 2.75, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022amqp\u0022, \u0022app_proto\u0022: \u0022amqp\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5672, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c1aa8bce132164e102c58afac0b2979156bed4b3\u0022, \u0022event_fingerprint\u0022: \u002272ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0371\u0022, \u0022pat-0537\u0022], \u0022matched_pattern_names\u0022: [\u0022AMQP protocol\u0022, \u0022AMQP protocol header\u0022], \u0022pattern_ids\u0022: [\u0022pat-0371\u0022, \u0022pat-0537\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022amqp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bc2f502576523902588d3c36f36ea5a1\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5672, \u0022service\u0022: \u0022amqp\u0022, \u0022service_name\u0022: \u0022amqp\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022request_sample\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022payload_snippet\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022payload_snippet\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a821aea75eb0f582f0d612305103cb4c3a8ea7d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022port\u0022: 5672, \u0022service\u0022: \u0022amqp\u0022, \u0022service_label_fr\u0022: \u0022AMQP\u0022}, \u0022evidence_snippet\u0022: \u0022AMQP\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00225672 \u00b7 AMQP\u0022, \u0022emulator_service\u0022: \u0022amqp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022amqp\u0022, \u0022service_label_fr\u0022: \u0022AMQP\u0022, \u0022dst_port\u0022: 5672, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-amqp\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022port\u0022: 5672, \u0022service\u0022: \u0022amqp\u0022, \u0022service_label_fr\u0022: \u0022AMQP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022AMQP\u0022, \u0022target_port_label\u0022: \u00225672 \u00b7 AMQP\u0022, \u0022emulator_service\u0022: \u0022amqp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022amqp\u0022, \u0022service_banner\u0022: \u0022honeypot-amqp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225672\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 21, \u0022scan_velocity_ports_per_s\u0022: 6.21, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022amqp_emulated\u0022, \u0022amqp_handshake\u0022, \u0022net_port_scan_fast\u0022, \u0022rabbitmq_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022amqp_emulated\u0022, \u0022amqp_handshake\u0022, \u0022net_port_scan_fast\u0022, \u0022rabbitmq_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":8},{"id":9231146,"ip":"111.228.50.25","ts":"2026-06-15 15:34:48.000000","proto":"tcp","src_port":52028,"dst_port":9042,"service":"cassandra","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022840000000200000002\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 0.9864267287308424, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022cassandra\u0022, \u0022app_proto\u0022: \u0022cassandra\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 9042, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221003280d273727fcc08ab3d788c35acf5b6d718b\u0022, \u0022event_fingerprint\u0022: \u002226d8e48a1f6752aca7f9494557834abf00d18b90\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cassandra\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225639e6990322230c72f701566cf7ac4b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9042, \u0022service\u0022: \u0022cassandra\u0022, \u0022service_name\u0022: \u0022cassandra\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225f2880a370b7bd09eb820101cdd3f1e0b5d401c0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9042, \u0022service\u0022: \u0022cassandra\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00229042 \u00b7 CASSANDRA\u0022, \u0022emulator_service\u0022: \u0022cassandra\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cassandra\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA\u0022, \u0022dst_port\u0022: 9042, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cassandra\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9042, \u0022service\u0022: \u0022cassandra\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229042 \u00b7 CASSANDRA\u0022, \u0022emulator_service\u0022: \u0022cassandra\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cassandra\u0022, \u0022service_banner\u0022: \u0022honeypot-cassandra\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229042\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 22, \u0022scan_velocity_ports_per_s\u0022: 6.1, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cassandra_emulated\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cassandra_emulated\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":9},{"id":9231147,"ip":"111.228.50.25","ts":"2026-06-15 15:34:48.000000","proto":"tcp","src_port":47768,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 55, \u0022payload_entropy\u0022: 4.5038203952248335, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002205c58c5f19ad288de9a49d67ac759a6d356e63bd\u0022, \u0022event_fingerprint\u0022: \u002280f2aa9a52b555c26e5706a111edbf5b4c7d378f\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0bf494803669a89021e5acd1315d539\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c0e2e654b48ad25a812ff07195dc9c3e3d2b3b94\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 23, \u0022scan_velocity_ports_per_s\u0022: 6.37, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":55},{"id":9231153,"ip":"111.228.50.25","ts":"2026-06-15 15:34:48.000000","proto":"tcp","src_port":33734,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 55, \u0022payload_entropy\u0022: 4.5038203952248335, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002279c9e98c4c27e0b950e18ec690d012ad5320bb54\u0022, \u0022event_fingerprint\u0022: \u002223dd8620e82dd7d29b08cc2b43d4905facc7c62e\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0bf494803669a89021e5acd1315d539\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b9ff06348a58871af057ab6650740f350ee036a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00229000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 27, \u0022scan_velocity_ports_per_s\u0022: 7.01, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":55},{"id":9231129,"ip":"111.228.50.25","ts":"2026-06-15 15:34:47.000000","proto":"tcp","src_port":57214,"dst_port":8443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.912838995408163, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282e7005f91727a126e0d4c319fff2fcb94ce35d5\u0022, \u0022event_fingerprint\u0022: \u0022ebbf50493a5cd01037444d3e811aea60318e67dd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002204c9bfccc2e564d09abaf49c5c902120\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0019Q\\u0000\u0027\\u0011\u0027\ufffd\ufffd\ufffd\\u0005\\f\u003C8\\u000b\ufffd\ufffd\u0027b\\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0019Q\\u0000\u0027\\u0011\u0027\ufffd\ufffd\ufffd\\u0005\\f\u003C8\\u000b\ufffd\ufffd\u0027b\\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0019Q\\u0000\u0027\\u0011\u0027\ufffd\ufffd\ufffd\\u0005\\f\u003C8\\u000b\ufffd\ufffd\u0027b\\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002257a2cbade2edc4fe27751f080c46b238009d4497\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0019Q\\u0000\u0027\\u0011\u0027\ufffd\ufffd\ufffd\\u0005\\f\u003C8\\u000b\ufffd\ufffd\u0027b\\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdQ\u0027\u0027\ufffd\ufffd\ufffd\u003C8\ufffd\ufffd\u0027b7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 8443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0019Q\\u0000\u0027\\u0011\u0027\ufffd\ufffd\ufffd\\u0005\\f\u003C8\\u000b\ufffd\ufffd\u0027b\\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdQ\u0027\u0027\ufffd\ufffd\ufffd\u003C8\ufffd\ufffd\u0027b7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd\u003E\ufffd\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 15, \u0022scan_velocity_ports_per_s\u0022: 6.44, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_port_scan_fast\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_port_scan_fast\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":7,"bytes_in":517},{"id":9231132,"ip":"111.228.50.25","ts":"2026-06-15 15:34:47.000000","proto":"tcp","src_port":38910,"dst_port":5000,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c\u0022, \u0022emulator_response_len\u0022: 158, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 55, \u0022payload_entropy\u0022: 4.5038203952248335, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5000, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f211ab7369950d2beac430b060fd944d20c9248\u0022, \u0022event_fingerprint\u0022: \u002289f048096fc4888db8855d6a58ccce9e39debd7f\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0bf494803669a89021e5acd1315d539\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f5dda584b1c9f07fd2a887d9f39b417a199d26b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 16, \u0022scan_velocity_ports_per_s\u0022: 6.2, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":55},{"id":9231136,"ip":"111.228.50.25","ts":"2026-06-15 15:34:47.000000","proto":"tcp","src_port":52906,"dst_port":1883,"service":"mqtt","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002220020000\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 29, \u0022payload_entropy\u0022: 4.004364184708143, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022mqtt\u0022, \u0022app_proto\u0022: \u0022mqtt\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 1883, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ee45ca4c40aab54ce18a5f5a6bb214132d12fdb3\u0022, \u0022event_fingerprint\u0022: \u0022fee8f8e86b21ce5d7cca835e505fd9e20340232a\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mqtt\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022af78af0e1a719a0f3346087d92f8a951\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1883, \u0022service\u0022: \u0022mqtt\u0022, \u0022service_name\u0022: \u0022mqtt\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a266c89f757c0b890624e25353d34b32155e0685\u0022, \u0022protocol_details\u0022: {\u0022mqtt_connect_fr\u0022: \u0022Connexion MQTT (CONNECT)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022port\u0022: 1883, \u0022service\u0022: \u0022mqtt\u0022, \u0022service_label_fr\u0022: \u0022MQTT\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003Chermes-scanner\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221883 \u00b7 MQTT\u0022, \u0022emulator_service\u0022: \u0022mqtt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mqtt\u0022, \u0022service_label_fr\u0022: \u0022MQTT\u0022, \u0022dst_port\u0022: 1883, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022MQTT 3.1.1\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022mqtt_connect_fr\u0022: \u0022Connexion MQTT (CONNECT)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u001a\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\u003C\\u0000\\u0010hermes-scanner\\u0000\u0022, \u0022port\u0022: 1883, \u0022service\u0022: \u0022mqtt\u0022, \u0022service_label_fr\u0022: \u0022MQTT\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003Chermes-scanner\u0022, \u0022target_port_label\u0022: \u00221883 \u00b7 MQTT\u0022, \u0022emulator_service\u0022: \u0022mqtt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mqtt\u0022, \u0022service_banner\u0022: \u0022MQTT 3.1.1\u0022, \u0022service_os\u0022: \u0022iot\u0022, \u0022dst_port\u0022: \u00221883\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 17, \u0022scan_velocity_ports_per_s\u0022: 6.04, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022mqtt_emulated\u0022, \u0022mqtt_payload\u0022, \u0022net_bruteforce\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022mqtt_emulated\u0022, \u0022mqtt_payload\u0022, \u0022net_bruteforce\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":29},{"id":9231139,"ip":"111.228.50.25","ts":"2026-06-15 15:34:47.000000","proto":"tcp","src_port":51968,"dst_port":8883,"service":"mqtts","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.965125725015207, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022mqtts\u0022, \u0022app_proto\u0022: \u0022mqtts\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8883, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4033ab61ec9697334b22f595c6efd6935f96f2c\u0022, \u0022event_fingerprint\u0022: \u002225dd54199c1aabd249dd54e6daebc9ce369e03f7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222ea84618f8cbfed119bb390debeb5ef4\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u00032\ufffd\ufffd+\ufffd\\u0010y]\ufffd LT?^@\\b\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\\u001f\ufffd\ufffdT n\ufffd\\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\u001a\\r\ufffd\ufffdC\ufffd}\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u00032\ufffd\ufffd+\ufffd\\u0010y]\ufffd LT?^@\\b\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\\u001f\ufffd\ufffdT n\ufffd\\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\u001a\\r\ufffd\ufffdC\ufffd}\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0001u\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0000\u0026\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u00032\ufffd\ufffd+\ufffd\\u0010y]\ufffd LT?^@\\b\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\\u001f\ufffd\ufffdT n\ufffd\\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\u001a\\r\ufffd\ufffdC\ufffd}\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022882c352666d29985fbfa138369a72e0c90994470\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u00032\ufffd\ufffd+\ufffd\\u0010y]\ufffd LT?^@\\b\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\\u001f\ufffd\ufffdT n\ufffd\\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\u001a\\r\ufffd\ufffdC\ufffd}\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd2\ufffd\ufffd+\ufffdy]\ufffd LT?^@\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\ufffd\ufffdT n\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\r\ufffd\ufffdC\ufffd}\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228883 \u00b7 MQTTS\u0022, \u0022emulator_service\u0022: \u0022mqtts\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTTS \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022, \u0022dst_port\u0022: 8883, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mqtts\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u00032\ufffd\ufffd+\ufffd\\u0010y]\ufffd LT?^@\\b\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\\u001f\ufffd\ufffdT n\ufffd\\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\u001a\\r\ufffd\ufffdC\ufffd}\ufffd\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd2\ufffd\ufffd+\ufffdy]\ufffd LT?^@\ufffd\ufffd\ufffd\u07da(\\t5\ufffd6\ufffd\ufffd\ufffd\ufffdT n\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\\r\ufffd\ufffdC\ufffd}\ufffd\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00228883 \u00b7 MQTTS\u0022, \u0022emulator_service\u0022: \u0022mqtts\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mqtts\u0022, \u0022service_banner\u0022: \u0022honeypot-mqtts\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228883\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 18, \u0022scan_velocity_ports_per_s\u0022: 5.88, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtts_emulated\u0022, \u0022mqtts_payload\u0022, \u0022net_port_scan_fast\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtts_emulated\u0022, \u0022mqtts_payload\u0022, \u0022net_port_scan_fast\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":7,"bytes_in":517},{"id":9231112,"ip":"111.228.50.25","ts":"2026-06-15 15:34:46.000000","proto":"tcp","src_port":50862,"dst_port":2049,"service":"nfs","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022800000290000000000000000\u0022, \u0022emulator_response_len\u0022: 12, \u0022bytes_in\u0022: 40, \u0022payload_entropy\u0022: 1.1103029464166383, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022nfs\u0022, \u0022app_proto\u0022: \u0022nfs\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 2049, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022579396ac80141cc356e24764f2908b0158e9edc6\u0022, \u0022event_fingerprint\u0022: \u0022406f1fb049fa29b057884fc3ea6c98702c6088ca\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022nfs\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ddea4e3d761e9c205132ef111fbc9454\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2049, \u0022service\u0022: \u0022nfs\u0022, \u0022service_name\u0022: \u0022nfs\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d43dffafa2bbf9b57cdb25e5dad2160e3ede6754\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2049, \u0022service\u0022: \u0022nfs\u0022, \u0022service_label_fr\u0022: \u0022NFS\u0022}, \u0022evidence_snippet\u0022: \u0022(\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222049 \u00b7 NFS\u0022, \u0022emulator_service\u0022: \u0022nfs\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022nfs\u0022, \u0022service_label_fr\u0022: \u0022NFS\u0022, \u0022dst_port\u0022: 2049, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-nfs\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2049, \u0022service\u0022: \u0022nfs\u0022, \u0022service_label_fr\u0022: \u0022NFS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022(\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00222049 \u00b7 NFS\u0022, \u0022emulator_service\u0022: \u0022nfs\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022nfs\u0022, \u0022service_banner\u0022: \u0022honeypot-nfs\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222049\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.99, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_port_scan_fast\u0022, \u0022nfs_emulated\u0022, \u0022nfs_mount\u0022, \u0022nfs_payload\u0022, \u0022nfs_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_port_scan_fast\u0022, \u0022nfs_emulated\u0022, \u0022nfs_mount\u0022, \u0022nfs_payload\u0022, \u0022nfs_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":40},{"id":9231121,"ip":"111.228.50.25","ts":"2026-06-15 15:34:46.000000","proto":"tcp","src_port":55110,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 55, \u0022payload_entropy\u0022: 4.5038203952248335, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e257991cb5200ff10524b3c9f7213057ba0d3047\u0022, \u0022event_fingerprint\u0022: \u00221eeecffdeefbfbad05a3604bc614efa2174b97bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0bf494803669a89021e5acd1315d539\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ed30e11df9aecf5c7c267f21c7cae8dba574315\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 13, \u0022scan_velocity_ports_per_s\u0022: 2.85, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":55},{"id":9231122,"ip":"111.228.50.25","ts":"2026-06-15 15:34:46.000000","proto":"tcp","src_port":56438,"dst_port":6379,"service":"redis","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b504f4e470d0a\u0022, \u0022emulator_response_len\u0022: 7, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 3.6163485660751635, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022service\u0022: \u0022redis\u0022, \u0022app_proto\u0022: \u0022redis\u0022, \u0022asn\u0022: 141679, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 6379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d3afe11e681d11798c2acbad3a9ecf85e35db28c\u0022, \u0022event_fingerprint\u0022: \u0022ad893b67498ef5007c1d8733f7eb11e5e6fc39df\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 141679, \u0022org\u0022: \u0022China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002267a876fb8d199d3484763c3ff81a5c27\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022PING\\r\\nINFO server\\r\\n\u0022, \u0022request_sample\u0022: \u0022PING\\r\\nINFO server\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022PING\\r\\nINFO server\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251e9067759ee6cb1eaa94e57829e7fba8f8c7cfb\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022evidence_snippet\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (26 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 23}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022, \u0022dst_port\u0022: 6379, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Redis 7.0\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +23\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022PING\\r\\nINFO server\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022redis\u0022, \u0022service_banner\u0022: \u0022Redis 7.0\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226379\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 28, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 13, \u0022scan_velocity_ports_per_s\u0022: 2.85, \u0022multi_category_scan\u0022: true, \u0022scan_category_diversity\u0022: [\u0022cloud\u0022, \u0022iot\u0022, \u0022web\u0022], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 26, \u0022multi_protocol_sample\u0022: [\u0022amqp\u0022, \u0022cassandra\u0022, \u0022docker\u0022, \u0022docker-tls\u0022, \u0022elasticsearch\u0022, \u0022flask-http\u0022, \u0022ftp\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_category_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 23, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_port_scan_fast\u0022, \u0022redis_emulated\u0022, \u0022redis_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_port_scan_fast\u0022, \u0022redis_emulated\u0022, \u0022redis_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":19}],"total_events":109}