Renseignement sur les menaces

Chine

111.228.50.25

FAI China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch Première vue 15/06/2026 15:03 UTC Dernière vue 15/06/2026 15:35 UTC Risque Moyen

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte — risque 51/100 (Moyen) — MITRE T1046 — confiance 100 % — via K8S API — multi-protocole (26 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 64/100 Moyen

Première observation 15/06/2026 15:03 UTC

Dernière observation 15/06/2026 15:35 UTC

Événements (période) 109

MITRE ATT&CK principal T1046 92 occurrences

Activité suspecte — risque 51/100 (Moyen) — MITRE T1046 — confiance 100 % — via K8S API — multi-protocole (26 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +19

Comparaison ASN / FAI

ASN 141679 · 111.228.0.0/18 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 109 événements sur la période pour cette IP.

203.83.234.180 Sonde SSH 20/06/2026 08:08 UTC
117.72.212.5 Sonde SSH 19/06/2026 22:39 UTC
117.72.110.172 Sonde SSH 19/06/2026 22:14 UTC
106.63.26.6 SSRF interne 18/06/2026 14:49 UTC
106.63.26.22 Sonde PostgreSQL 18/06/2026 14:49 UTC
106.63.26.139 SSRF interne 18/06/2026 14:20 UTC
106.63.26.157 Sonde PostgreSQL 18/06/2026 14:20 UTC
117.72.13.101 Sonde port 6379/TCP 17/06/2026 14:17 UTC

Événements (filtres)

109

Première observation

15/06/2026 15:03 UTC

Dernière observation

15/06/2026 15:35 UTC

Dernière activité (filtres)

15/06/2026 15:35 UTC

Événements 7j

109

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 40 K8S API TCP 21 NFS TCP 3 RDP TCP 3 REDIS TCP 3 FTP TCP 2 RSYNC TCP 2 CASSANDRA TCP 2 MONGODB TCP 2 SSH TCP 2 DOCKER TCP 2 POSTGRES TCP 2 MQTT TCP 2 HTTPS TCP 2 Telnet TCP 2 DOCKER TLS TCP 2 MQTTS TCP 2 VNC TCP 2 ELASTICSEARCH TCP 2 MSSQL TCP 2

HTTP

K8S API

NFS

RDP

REDIS

FTP

Géolocalisation

Origine réseau déclarée

Chine unknown unknown

FAI / réseau

Opérateur et dernière activité ban

China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch 0 Port 9200 elasticsearch_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via K8S API:6443 · (reconnaissance)

Détails protocole

Aperçu payload

GET /docs/api.html HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.1

Port / service

6443 · K8S API

Service émulé

K8S-API

Raison confiance

Confiance 100 % — 6 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +19

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

109 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

109 événement(s) — page 2/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 15:34:46 UTC	TCP	8080 · HTTP	http	Scan de ports port scan syn · via HTTP:8080 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_port_scan_fast Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8080, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1952973b298753bacd8311ca7b61685d03229984", "event_fingerprint": "1a73e52fcb0af206bdd873fdc276f059b19b837a", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90a72e3d9d39d79e8f7cc6c3f7d30f5b4211d0ee", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 14, "scan_velocity_ports_per_s": 2.93, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_port_scan_fast" ] }
15/06/2026 15:34:45 UTC	TCP	27017 · MONGODB	mongodb	Scan de ports port scan syn · via MONGODB:27017 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MONGODB WAF — Recommandation Surveiller Tags mongodb_emulated mongodb_enum_probe mongodb_hello_probe mongodb_wire_protocol Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 27017 Chemin / cible — Service MONGODB Payload �admin.$cmd��ismaster�?buildInfo�? Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Mongo buildInfo Mongo isMaster legacy Mongo ismaster command Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �admin.$cmd��ismaster�?buildInfo�? Meta JSON brut { "protocol_emulated": true, "emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00", "emulator_response_len": 62, "bytes_in": 81, "payload_entropy": 3.145504394696991, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mongodb", "app_proto": "mongodb", "asn": 141679, "country": "CN", "dst_port": 27017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 6, "anomaly_count": 0, "campaign_key": "67a4842f9d749845f5e1f6bf702c20b486597758", "event_fingerprint": "89c003b1f7f024618bebd2869d70fcbe185c35c2", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0359", "pat-0363", "pat-0364", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo buildInfo", "Mongo isMaster legacy", "Mongo ismaster command", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0359", "pat-0363", "pat-0364", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mongodb", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ec31e2904bf04b40da5c05e50ca54b0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 27017, "service": "mongodb", "service_name": "mongodb", "risk_score": 42 }, "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "request_sample": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f7f8b89a7191f807348b97e617478e79aeeef40", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "evidence_snippet": "\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismaster\ufffd?buildInfo\ufffd?", "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONGODB \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb", "service_label_fr": "MONGODB", "dst_port": 27017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismaster\ufffd?buildInfo\ufffd?", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb", "service_banner": "honeypot-mongodb", "service_os": "linux", "dst_port": "27017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 3.19, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_emulated", "mongodb_enum_probe", "mongodb_hello_probe", "mongodb_wire_protocol", "net_bruteforce", "net_port_scan_fast" ] }
15/06/2026 15:34:45 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_bruteforce net_port_scan_fast rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Payload �4 Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) RDP TPKT header Kafka ApiVersions key ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed00000123400021f080000000000", "emulator_response_len": 19, "bytes_in": 19, "payload_entropy": 2.641120933813016, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rdp", "app_proto": "rdp", "asn": 141679, "country": "CN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3102d5a481adb73ebfeff7ed7c65ca8f5592118a", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0556", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "Kafka ApiVersions key", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0556", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6204aaa1d040d920bdb6acca924eba1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4250aff94405429c02ce9b244456950125b160b8", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd4", "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd4", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 12, "scan_velocity_ports_per_s": 3.18, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_port_scan_fast", "rdp_cookie", "rdp_emulated" ], "rdp_auth_burst": true, "rdp_auth_burst_count": 5, "rdp_auth_burst_rate": 0.38, "behavior_alert_count": 1, "behavior_priority": 96 }
15/06/2026 15:34:45 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mysql", "app_proto": "mysql", "asn": 141679, "country": "CN", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b1020e21b3d9f109d6025c5f30f49cae79775d74", "event_fingerprint": "fc636b2a9fe65cd127101ef17af779a5183b0a0c", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed24b1ab4b75c6a3507bce9a4e30f5538119e65f", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 19, "scan_velocity_ports_per_s": 5.78, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_bruteforce_burst", "net_port_scan_fast" ] }
15/06/2026 15:34:45 UTC	TCP	22 · SSH	ssh	Scan de ports port scan syn · via SSH:22 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SSH WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast ssh_banner_grab ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "ssh", "app_proto": "ssh", "asn": 141679, "country": "CN", "dst_port": 22, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a9b517824c94778e6748155f74784f3a93add744", "event_fingerprint": "b4929bf32779aefad610d20ae581619a267ba9f6", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87e0ca97b7bdc4227f7650f13d3e74f6532996ff", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 24, "scan_velocity_ports_per_s": 6.36, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "ssh_banner_grab", "ssh_emulated" ] }
15/06/2026 15:34:45 UTC	TCP	23 · Telnet	telnet	Scan de ports port scan syn · via Telnet:23 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "telnet", "app_proto": "telnet", "asn": 141679, "country": "CN", "dst_port": 23, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "48d8b4c7f2062b33e6f848537fa0c8db6498193d", "event_fingerprint": "b01c5d414ece661f92cba2c282935e85d119d5b1", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7dbc040b9cb1a53a382d952cdc79ad2227ec11e", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Telnet \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 25, "scan_velocity_ports_per_s": 6.54, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "telnet_emulated" ] }
15/06/2026 15:34:45 UTC	TCP	5901 · VNC	vnc	Scan de ports port scan syn · via VNC:5901 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5901 Chemin / cible — Service VNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "vnc", "app_proto": "vnc", "asn": 141679, "country": "CN", "dst_port": 5901, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1b0a8dfabeea22865ca682ed240153e6e7261766", "event_fingerprint": "1f120765377258e8d734a87494c566260cf9e406", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5901, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6822bcdc268f5cd61436ff5b2c889cd3431ab479", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5901, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5901" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 26, "scan_velocity_ports_per_s": 6.77, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
15/06/2026 15:34:45 UTC	TCP	21 · FTP	ftp	Scan de ports port scan syn · via FTP:21 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "ftp", "app_proto": "ftp", "asn": 141679, "country": "CN", "dst_port": 21, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1c2e3b4d6bfb5ebd3a4fc0cb9495918eababa190", "event_fingerprint": "9031dd2c4b6735507ef78d847b42e7fda3d480dc", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ftp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86741c785ad85d2c2164e0b0d81fa19001b0f3a6", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 28, "scan_velocity_ports_per_s": 7.26, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
15/06/2026 15:34:45 UTC	TCP	2375 · DOCKER	docker	Scan de ports port scan syn · via DOCKER:2375 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /version HTTP/1.0 Host: 62.3.50.33 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /version HTTP/1.0 Host: 62.3.50.33 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 43, "payload_entropy": 4.454766207938903, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "docker", "app_proto": "docker", "asn": 141679, "country": "CN", "dst_port": 2375, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8c1839cdbd9fa9388eb8b04668a8b57ccf5e28c3", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9b1c5e487e7cfaf882da8b2a6931bd4c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 42 }, "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "request_sample": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "evidence": { "request_sample": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a86d6437b4611276c7648b74f945db65fb91cca", "protocol_details": { "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.84, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe" ] }
15/06/2026 15:34:45 UTC	TCP	1433 · MSSQL	mssql	Scan de ports port scan syn · via MSSQL:1433 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload 4"&� Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) MSSQL TDS prelogin Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) 4"&� Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 56, "payload_entropy": 2.0032319580345135, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mssql", "app_proto": "mssql", "asn": 141679, "country": "CN", "dst_port": 1433, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b82edc85ccfccb9933b235c8b96d99fe50ee52d8", "event_fingerprint": "24635733bde8ab881cad2aa5e51b4b5bf5e45e9f", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0519", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9c795ab9c68996bde49a052760707d45", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 42 }, "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51cddcecf1e50483e144f1d8b685fe36bea3023f", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": "4\"&\ufffd", "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MSSQL \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "evidence_snippet": "4\"&\ufffd", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.05, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_bruteforce", "net_mssql_tds" ] }
15/06/2026 15:34:45 UTC	TCP	11211 · MEMCACHED	memcached	Scan de ports port scan syn · via MEMCACHED:11211 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MEMCACHED WAF — Recommandation Surveiller Tags memcached_emulated memcached_payload net_memcached_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 11211 Chemin / cible — Service MEMCACHED Memcached Requête stats Memcached (UDP/TCP) Payload stats Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Memcached stats Memcached stats ET Memcached UDP User-Agent — Règles WAF — Payload (extrait) stats Meta JSON brut { "protocol_emulated": true, "emulator_response": "454e440d0a", "emulator_response_len": 5, "bytes_in": 7, "payload_entropy": 2.2359263506290326, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "memcached", "app_proto": "memcached", "asn": 141679, "country": "CN", "dst_port": 11211, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66464a82723b1788e29428c6a1128b7840beb1bb", "event_fingerprint": "2fcce8d4fd15e6ca50ec0235eeed2c6616def357", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0374", "pat-0533", "pat-0865" ], "matched_pattern_names": [ "Memcached stats", "Memcached stats", "ET Memcached UDP" ], "pattern_ids": [ "pat-0374", "pat-0533", "pat-0865" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "memcached", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11e629574907d3a9ced402e26f4a98df", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 11211, "service": "memcached", "service_name": "memcached", "risk_score": 42 }, "payload_preview": "stats\r\n", "request_sample": "stats\r\n", "payload_snippet": "stats", "evidence": { "request_sample": "stats\r\n", "payload_snippet": "stats", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17158f55ce472e246caf20eb947d39c96ac2d05b", "protocol_details": { "memcached_stats_fr": "Requ\u00eate stats Memcached (UDP\/TCP)", "payload_preview": "stats", "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "evidence_snippet": "stats", "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "memcached", "service_label_fr": "MEMCACHED", "dst_port": 11211, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-memcached", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "memcached_stats_fr": "Requ\u00eate stats Memcached (UDP\/TCP)", "payload_preview": "stats", "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "evidence_snippet": "stats", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "memcached", "service_banner": "honeypot-memcached", "service_os": "linux", "dst_port": "11211" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 1.26, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "memcached_emulated", "memcached_payload", "net_memcached_probe" ] }
15/06/2026 15:34:45 UTC	TCP	6379 · REDIS	redis	Scan de ports port scan syn · via REDIS:6379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_bruteforce net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Payload INFO server Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) INFO server Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 13, "payload_entropy": 3.392747410448785, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "redis", "app_proto": "redis", "asn": 141679, "country": "CN", "dst_port": 6379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "30353f16d4fbea31623bf0a8e38a5b7ede2d180a", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f476d1064f00dd89417b202b45882197", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "INFO server\r\n", "request_sample": "INFO server\r\n", "payload_snippet": "INFO server", "evidence": { "request_sample": "INFO server\r\n", "payload_snippet": "INFO server", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb0e6874f3a3d2c5d828f9e1506635e494e6879e", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "INFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "INFO server", "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "INFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "evidence_snippet": "INFO server", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.46, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_redis_probe", "redis_emulated" ] }
15/06/2026 15:34:45 UTC	TCP	10250 · HTTP	http	Scan de ports port scan syn · via HTTP:10250 · (reconnaissance) · → /pods	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /pods Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_no_ua net_web_probe Cible HTTP GET /pods TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10250 Chemin / cible /pods Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Kubelet pods Ligne de requête `GET /pods HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /pods HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "59a6926bbb41b1ddf30b6bc032d8a4223f148f92", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 59, "payload_entropy": 4.583843210665387, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 10250, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "35da93185201bdedf8e92e7e69e98c4b4b9072c8", "event_fingerprint": "afd16ac0ae7757b5352f24da737d895e5ae88687", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0653" ], "matched_pattern_names": [ "Kubelet pods" ], "pattern_ids": [ "pat-0653" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b95676fe3044d38e0c626d1f59a65b77", "path_pattern_hash": "1444c195f4233af8530aa1bd4b4e2207" }, "target_context": { "dst_port": 10250, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "request_sample": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "request_sample": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0f14911a2b4f661a24b9bed9080b30d0710b5289", "protocol_details": { "http_method": "GET", "http_path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "port": 10250, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:10250 \u00b7 (reconnaissance) \u00b7 \u2192 \/pods", "target_port_label": "10250 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10250, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Kubernetes kubelet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "port": 10250, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:10250 \u00b7 (reconnaissance) \u00b7 \u2192 \/pods", "evidence_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "10250 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kubelet", "service_banner": "Kubernetes kubelet", "service_os": "linux", "dst_port": "10250" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 1.67, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_no_ua", "net_web_probe" ] }
15/06/2026 15:34:45 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports port scan syn · via ELASTICSEARCH:9200 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Requête Elasticsearch : / Émulateur ELASTICSEARCH WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_elasticsearch_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible / Service ELASTICSEARCH Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.0 Host: 62.3.50.33 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 1, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 36, "payload_entropy": 4.120635070586275, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 141679, "country": "CN", "dst_port": 9200, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "95e5a5bd0dfa3f57edfa45640d852970309324d2", "event_fingerprint": "51cd5383980c299a7513ab00aa13577eca9d42fc", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "061cf18e2bcd7614e9e52a476e472246", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac6748796e4d2cdb6951523b37012b3f99a351ec", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 9, "scan_velocity_ports_per_s": 1.85, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_elasticsearch_probe" ] }
15/06/2026 15:34:45 UTC	TCP	2376 · DOCKER TLS	docker-tls	Scan de ports port scan syn · via DOCKER TLS:2376 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_api_probe docker_tls_emulated docker_tls_payload net_docker_tls_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Payload ��XS�g}�% 6�7!"X��W�'�8_WJ� '�5�,�U�>D�Ê�� /��~MM� BJ��1>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��XS�g}�% 6�7!"X��W�'�8_WJ� '�5�,�U�>D�Ê�� /��~MM� BJ��1>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��XS�g}�% 6�7!"X��W�'�8_WJ� '�5�,�U�>D�Ê�� /��~MM� BJ��1>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u # ( +-3& Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "bytes_in": 517, "payload_entropy": 3.9413084606009825, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "docker-tls", "app_proto": "docker-tls", "asn": 141679, "country": "CN", "dst_port": 2376, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8b17215afa683664673e4e271716fbb0ba8f91d8", "event_fingerprint": "0e1c691ada97ecfe1cd84524e4db6b819b7ed10b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1d2669be5de01fac7070b55e44283fe2", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0006XS\ufffdg\u0010}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd\u0018'\ufffd8_\u0015WJ\ufffd '\ufffd5\ufffd,\u001a\u0003\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0006XS\ufffdg\u0010}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd\u0018'\ufffd8_\u0015WJ\ufffd '\ufffd5\ufffd,\u001a\u0003\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0006XS\ufffdg\u0010}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd\u0018'\ufffd8_\u0015WJ\ufffd '\ufffd5\ufffd,\u001a\u0003\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee6b2e35d9d8a49ffc41d5fd993dc8b23b37ea7a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0006XS\ufffdg\u0010}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd\u0018'\ufffd8_\u0015WJ\ufffd '\ufffd5\ufffd,\u001a\u0003\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdXS\ufffdg}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd'\ufffd8_WJ\ufffd '\ufffd5\ufffd,\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER TLS \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0006XS\ufffdg\u0010}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd\u0018'\ufffd8_\u0015WJ\ufffd '\ufffd5\ufffd,\u001a\u0003\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdXS\ufffdg}\ufffd% 6\ufffd7!\"X\ufffd\ufffdW\ufffd'\ufffd8_WJ\ufffd '\ufffd5\ufffd,\ufffdU\ufffd>D\ufffd\u00ca\ufffd\ufffd\t\ufffd\/\ufffd\ufffd~MM\ufffd BJ\ufffd\ufffd1>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 10, "scan_velocity_ports_per_s": 2.06, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_tls_emulated", "docker_tls_payload", "net_docker_tls_probe", "tls_clienthello" ] }
15/06/2026 15:34:45 UTC	TCP	5432 · POSTGRES	postgres	Scan de ports port scan syn · via POSTGRES:5432 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_bruteforce net_port_scan_fast postgres_emulated postgres_startup Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5432 Chemin / cible — Service POSTGRES Payload userscanner Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) userscanner Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000001252000000057573657200706f73746772657300", "emulator_response_len": 23, "bytes_in": 22, "payload_entropy": 2.799007754410897, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "postgres", "app_proto": "postgres", "asn": 141679, "country": "CN", "dst_port": 5432, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "372f8e5262b87aa6a591343072589144c83d9049", "event_fingerprint": "5302d14dbea4b63204d1ed61b172d5e31032aca7", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f7fc6a8deed7656fb98612c21bea0e33", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5432, "service": "postgres", "service_name": "postgres", "risk_score": 42 }, "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "request_sample": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dee93e4206208ad924ff3345ba8cc92e24ad1515", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "evidence_snippet": "userscanner", "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5432, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "PostgreSQL 15.4", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "evidence_snippet": "userscanner", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "PostgreSQL 15.4", "service_os": "linux", "dst_port": "5432" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 2.2, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_port_scan_fast", "postgres_emulated", "postgres_startup", "postgresql_probe" ] }
15/06/2026 15:34:43 UTC	TCP	873 · RSYNC	rsync	Scan de ports port scan syn · via RSYNC:873 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RSYNC WAF — Recommandation Surveiller Tags net_port_scan_fast rsync_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 873 Chemin / cible — Service RSYNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rsync", "app_proto": "rsync", "asn": 141679, "country": "CN", "dst_port": 873, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "2b9924e4ee70903ed67db5f76eb0892ba7020d7c", "event_fingerprint": "946b05c81089bfc0460f7ef64cf5c3f3734227ed", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rsync", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 873, "service": "rsync", "service_name": "rsync", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce662a52958afa5105b86420b22ca8699c87383b", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RSYNC \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rsync", "service_label_fr": "RSYNC", "dst_port": 873, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rsync", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rsync", "service_banner": "honeypot-rsync", "service_os": "linux", "dst_port": "873" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 0.67, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rsync_emulated" ] }
15/06/2026 15:34:40 UTC	TCP	2049 · NFS	nfs	Scan de ports port scan syn · via NFS:2049 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NFS WAF — Recommandation Surveiller Tags net_port_scan_fast nfs_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Service NFS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "nfs", "app_proto": "nfs", "asn": 141679, "country": "CN", "dst_port": 2049, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "68b58f0f15ed4b19e30cd09adde9e2c2b4037b27", "event_fingerprint": "406f1fb049fa29b057884fc3ea6c98702c6088ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "nfs", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2049, "service": "nfs", "service_name": "nfs", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96e932f0b6d1ab2456ebe4d4ed0aac5585862d74", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nfs", "service_label_fr": "NFS", "dst_port": 2049, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nfs", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nfs", "service_banner": "honeypot-nfs", "service_os": "linux", "dst_port": "2049" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 0.65, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "nfs_emulated" ] }
15/06/2026 15:34:38 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +19 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rdp", "app_proto": "rdp", "asn": 141679, "country": "CN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "10f513de6771c2bb9e1eb75b90ad6f8a88fda359", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28cdae5ecef4b3abc2066dd4ab37f8343d24b3dc", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +19", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 19, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "rdp_emulated" ] }
15/06/2026 15:34:34 UTC	TCP	8888 · HTTP	http	Scan de ports port scan syn · via HTTP:8888 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_dev_port http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8888 Chemin / cible — Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8888, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "892aec0465da3cfaf267dca07b46901a8e105eb0", "event_fingerprint": "f92f3292c2e4220234c2782b1e39bdbad68f1d01", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c10e94820bcf1ef5fb4f709c89921265c377741e", "protocol_details": { "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8888, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 27, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 27, "scan_velocity_ports_per_s": 5.59, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_dev_port", "http_alt_port", "net_port_scan_fast" ] }
15/06/2026 15:34:34 UTC	TCP	9000 · HTTP	http	Scan de ports port scan syn · via HTTP:9000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_dev_port http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9000 Chemin / cible — Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 9000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "97dde639ecc91a3a733f93274a66d67cb7adda85", "event_fingerprint": "c191fd7753de9ec898a5acf873c182d0ba49940e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b250643fdba12cdb34d85c042e5c1ab87d2f2399", "protocol_details": { "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 28, "scan_velocity_ports_per_s": 5.71, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_dev_port", "http_alt_port", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	5901 · VNC	vnc	Scan de ports port scan syn · via VNC:5901 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5901 Chemin / cible — Service VNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "vnc", "app_proto": "vnc", "asn": 141679, "country": "CN", "dst_port": 5901, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1b0a8dfabeea22865ca682ed240153e6e7261766", "event_fingerprint": "1f120765377258e8d734a87494c566260cf9e406", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5901, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6822bcdc268f5cd61436ff5b2c889cd3431ab479", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (15 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5901, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5901" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 15, "port_scan_ports_sample": [ 22, 23, 1433, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 15, "scan_velocity_ports_per_s": 4.29, "multi_protocol_correlation": true, "multi_protocol_count": 15, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	21 · FTP	ftp	Scan de ports port scan syn · via FTP:21 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "ftp", "app_proto": "ftp", "asn": 141679, "country": "CN", "dst_port": 21, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1c2e3b4d6bfb5ebd3a4fc0cb9495918eababa190", "event_fingerprint": "9031dd2c4b6735507ef78d847b42e7fda3d480dc", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "ftp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86741c785ad85d2c2164e0b0d81fa19001b0f3a6", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FTP \u2014 multi-protocole (16 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 16, "port_scan_ports_sample": [ 21, 22, 23, 1433, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 16, "scan_velocity_ports_per_s": 4.51, "multi_protocol_correlation": true, "multi_protocol_count": 16, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "k8s-api", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	2049 · NFS	nfs	Scan de ports port scan syn · via NFS:2049 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NFS WAF — Recommandation Surveiller Tags net_port_scan_fast nfs_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Service NFS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "nfs", "app_proto": "nfs", "asn": 141679, "country": "CN", "dst_port": 2049, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "68b58f0f15ed4b19e30cd09adde9e2c2b4037b27", "event_fingerprint": "406f1fb049fa29b057884fc3ea6c98702c6088ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "nfs", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2049, "service": "nfs", "service_name": "nfs", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96e932f0b6d1ab2456ebe4d4ed0aac5585862d74", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (17 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nfs", "service_label_fr": "NFS", "dst_port": 2049, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nfs", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nfs", "service_banner": "honeypot-nfs", "service_os": "linux", "dst_port": "2049" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 17, "port_scan_ports_sample": [ 21, 22, 23, 1433, 2049, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 17, "scan_velocity_ports_per_s": 4.7, "multi_protocol_correlation": true, "multi_protocol_count": 17, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "k8s-api", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "nfs_emulated" ] }
15/06/2026 15:34:33 UTC	TCP	873 · RSYNC	rsync	Scan de ports port scan syn · via RSYNC:873 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RSYNC WAF — Recommandation Surveiller Tags net_port_scan_fast rsync_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 873 Chemin / cible — Service RSYNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rsync", "app_proto": "rsync", "asn": 141679, "country": "CN", "dst_port": 873, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "2b9924e4ee70903ed67db5f76eb0892ba7020d7c", "event_fingerprint": "946b05c81089bfc0460f7ef64cf5c3f3734227ed", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "rsync", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 873, "service": "rsync", "service_name": "rsync", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce662a52958afa5105b86420b22ca8699c87383b", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RSYNC \u2014 multi-protocole (18 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rsync", "service_label_fr": "RSYNC", "dst_port": 873, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rsync", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rsync", "service_banner": "honeypot-rsync", "service_os": "linux", "dst_port": "873" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 18, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 9200, 10250 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 18, "scan_velocity_ports_per_s": 4.96, "multi_protocol_correlation": true, "multi_protocol_count": 18, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "k8s-api", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rsync_emulated" ] }
15/06/2026 15:34:33 UTC	TCP	8443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:8443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "https", "app_proto": "https", "asn": 141679, "country": "CN", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9acc5b3bdfe39add3f9ff589870febf3438dd603", "event_fingerprint": "ebbf50493a5cd01037444d3e811aea60318e67dd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "954d96693181dbb5c58d837e52a06eb22c8ec96f", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (19 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 19, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 8443, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 19, "scan_velocity_ports_per_s": 5.13, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 19, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "https", "k8s-api", "kubelet", "memcached" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	8080 · HTTP	http	Scan de ports port scan syn · via HTTP:8080 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8080, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73cca68174ce68adee0e170c4736a1ebd671319e", "event_fingerprint": "e55982b22f31a81784591017cacbf3c0409fb764", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "757ce3e985319ee1cbf62e60479f8d1977447225", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (20 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 20, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5432, 5901, 6379, 6443, 8080, 8443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 20, "scan_velocity_ports_per_s": 5.39, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 20, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "http", "https", "k8s-api", "kubelet" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_port_scan_fast" ], "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 15:34:33 UTC	TCP	5000 · FLASK HTTP	flask-http	Scan de ports port scan syn · via FLASK HTTP:5000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur FLASK-HTTP WAF — Recommandation Surveiller Tags flask_http_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5000 Chemin / cible — Service FLASK HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "flask-http", "app_proto": "flask-http", "asn": 141679, "country": "CN", "dst_port": 5000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5260fec0ed25eb6d8e481670ebcec24514cb5c60", "event_fingerprint": "8d0a84b1f7d0da0d7e3e8cefee8d1ec30015078c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "flask-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5000, "service": "flask-http", "service_name": "flask-http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3ac75289e64ebe63aaa69d0a2660d0d430458a0", "protocol_details": { "port": 5000, "service": "flask-http", "service_label_fr": "FLASK HTTP" }, "attack_vector": "port scan syn \u00b7 via FLASK HTTP:5000 \u00b7 (reconnaissance)", "target_port_label": "5000 \u00b7 FLASK HTTP", "emulator_service": "flask-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FLASK HTTP \u2014 multi-protocole (21 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "flask-http", "service_label_fr": "FLASK HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-flask-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5000, "service": "flask-http", "service_label_fr": "FLASK HTTP" }, "attack_vector": "port scan syn \u00b7 via FLASK HTTP:5000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5000 \u00b7 FLASK HTTP", "emulator_service": "flask-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "flask_http", "service_banner": "honeypot-flask-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 21, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5901, 6379, 6443, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 21, "scan_velocity_ports_per_s": 5.46, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 21, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "flask_http_emulated", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	1883 · MQTT	mqtt	Scan de ports port scan syn · via MQTT:1883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Surveiller Tags mqtt_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mqtt", "app_proto": "mqtt", "asn": 141679, "country": "CN", "dst_port": 1883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3dcecb1b8ce8d8b7b1debf4bd2c8687d4917e183", "event_fingerprint": "fee8f8e86b21ce5d7cca835e505fd9e20340232a", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0074c76c40c881153affd1ba1c9a66d45f33d6a", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT \u2014 multi-protocole (22 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 22, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5901, 6379, 6443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 22, "scan_velocity_ports_per_s": 5.66, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 22, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	8883 · MQTTS	mqtts	Scan de ports port scan syn · via MQTTS:8883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MQTTS WAF — Recommandation Surveiller Tags mqtts_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8883 Chemin / cible — Service MQTTS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mqtts", "app_proto": "mqtts", "asn": 141679, "country": "CN", "dst_port": 8883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b18162c88c48e6748f5d3cd9e0b8d07abc9e1476", "event_fingerprint": "25dd54199c1aabd249dd54e6daebc9ce369e03f7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtts", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8883, "service": "mqtts", "service_name": "mqtts", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e8daafd10fd2124d6bbbb5772418bf282039d3e3", "protocol_details": { "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTTS \u2014 multi-protocole (23 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtts", "service_label_fr": "MQTTS", "dst_port": 8883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mqtts", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtts", "service_banner": "honeypot-mqtts", "service_os": "linux", "dst_port": "8883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 23, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5901, 6379, 6443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 23, "scan_velocity_ports_per_s": 5.75, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 23, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mqtts_emulated", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	5672 · AMQP	amqp	Scan de ports port scan syn · via AMQP:5672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur AMQP WAF — Recommandation Surveiller Tags amqp_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5672 Chemin / cible — Service AMQP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "414d515000000901010000000000000e000a000b000000000000000000", "emulator_response_len": 29, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "amqp", "app_proto": "amqp", "asn": 141679, "country": "CN", "dst_port": 5672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f838fa1738be90bb5cded0c7bcda986f4e2b9f2f", "event_fingerprint": "72ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "amqp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5672, "service": "amqp", "service_name": "amqp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbac36b491a1db41f6c336a7c16dcfcc2f20fc5e", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (24 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "amqp", "service_label_fr": "AMQP", "dst_port": 5672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-amqp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "amqp", "service_banner": "honeypot-amqp", "service_os": "linux", "dst_port": "5672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 24, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 24, "scan_velocity_ports_per_s": 5.98, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 24, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "amqp_emulated", "net_port_scan_fast" ] }
15/06/2026 15:34:33 UTC	TCP	15672 · RabbitMQ Management	rabbitmq-mgmt	Scan de ports port scan syn · via RabbitMQ Management:15672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RABBITMQ-MGMT WAF — Recommandation Surveiller Tags net_port_scan_fast rabbitmq_mgmt_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 15672 Chemin / cible — Service RabbitMQ Management Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rabbitmq-mgmt", "app_proto": "rabbitmq-mgmt", "asn": 141679, "country": "CN", "dst_port": 15672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7b41aa778f3b277891f8aa814f03d8b8fef7f251", "event_fingerprint": "457ef3ebe5a41038a591a4d492268aaeb6480900", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rabbitmq-mgmt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 15672, "service": "rabbitmq-mgmt", "service_name": "rabbitmq-mgmt", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19f03db33f2d47b724ba2245656928e4e00e753c", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RabbitMQ Management \u2014 multi-protocole (25 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management", "dst_port": 15672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rabbitmq-mgmt", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rabbitmq_mgmt", "service_banner": "honeypot-rabbitmq-mgmt", "service_os": "linux", "dst_port": "15672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 25, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 25, "scan_velocity_ports_per_s": 6.08, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 25, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rabbitmq_mgmt_emulated" ] }
15/06/2026 15:34:33 UTC	TCP	9042 · CASSANDRA	cassandra	Scan de ports port scan syn · via CASSANDRA:9042 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CASSANDRA WAF — Recommandation Surveiller Tags cassandra_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9042 Chemin / cible — Service CASSANDRA Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "840000000200000002", "emulator_response_len": 9, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "cassandra", "app_proto": "cassandra", "asn": 141679, "country": "CN", "dst_port": 9042, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1003280d273727fcc08ab3d788c35acf5b6d718b", "event_fingerprint": "26d8e48a1f6752aca7f9494557834abf00d18b90", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cassandra", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9042, "service": "cassandra", "service_name": "cassandra", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34e68eb852d7e20f3be478cf4609668da0b4a0e3", "protocol_details": { "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cassandra", "service_label_fr": "CASSANDRA", "dst_port": 9042, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra", "service_banner": "honeypot-cassandra", "service_os": "linux", "dst_port": "9042" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 26, "port_scan_ports_sample": [ 21, 22, 23, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 26, "scan_velocity_ports_per_s": 6.24, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_port_scan_fast" ] }
15/06/2026 15:34:32 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_mysql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Poignée de main MySQL · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mysql", "app_proto": "mysql", "asn": 141679, "country": "CN", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "bef1cad8d681313ebc2fad5890e78941ae733f15", "event_fingerprint": "7e64d2ea7efbfd080eb620b69c685e7503a67a61", "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4585d42d001ee203391bb3040a1d5ecd75e8f6ba", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "classification_reason_label_fr": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 1433, 2375, 3306, 6379, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 2.43, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "docker", "elasticsearch", "kubelet", "memcached", "mongodb", "mssql", "mysql", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_mysql_probe" ] }
15/06/2026 15:34:32 UTC	TCP	5432 · POSTGRES	postgres	Scan de ports port scan syn · via POSTGRES:5432 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_postgresql_probe postgres_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5432 Chemin / cible — Service POSTGRES Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "postgres", "app_proto": "postgres", "asn": 141679, "country": "CN", "dst_port": 5432, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "272205ffb91c9631a06988b863bb09a8579d4d67", "event_fingerprint": "4ccb9ae5aa8fe2eee37acc0e9b054ffd0269442f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5432, "service": "postgres", "service_name": "postgres", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8595a29246f46661d8df7e7b105c632b170680fe", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (9 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5432, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "PostgreSQL 15.4", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "PostgreSQL 15.4", "service_os": "linux", "dst_port": "5432" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 1433, 2375, 3306, 5432, 6379, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 9, "scan_velocity_ports_per_s": 2.73, "multi_protocol_correlation": true, "multi_protocol_count": 9, "multi_protocol_sample": [ "docker", "elasticsearch", "kubelet", "memcached", "mongodb", "mssql", "mysql", "postgres" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_postgresql_probe", "postgres_emulated" ] }
15/06/2026 15:34:32 UTC	TCP	6443 · K8S API	k8s-api	Scan de ports port scan syn · via K8S API:6443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur K8S-API WAF — Recommandation Surveiller Tags k8s_api_emulated net_kubernetes_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6443 Chemin / cible — Service K8S API Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75", "emulator_response_len": 165, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "k8s-api", "app_proto": "k8s-api", "asn": 141679, "country": "CN", "dst_port": 6443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "8100e0ba2951eda4f623efc9a065b92ccaae19c9", "event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "k8s-api", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6443, "service": "k8s-api", "service_name": "k8s-api", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7831a0932ab5639dd4f44654ff2355fc8cb2f0aa", "protocol_details": { "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (10 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "k8s-api", "service_label_fr": "K8S API", "dst_port": 6443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-k8s-api", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "k8s_api", "service_banner": "honeypot-k8s-api", "service_os": "linux", "dst_port": "6443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 1433, 2375, 3306, 5432, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 10, "scan_velocity_ports_per_s": 3, "multi_protocol_correlation": true, "multi_protocol_count": 10, "multi_protocol_sample": [ "docker", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql", "mysql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "k8s_api_emulated", "net_kubernetes_probe" ] }
15/06/2026 15:34:32 UTC	TCP	2376 · DOCKER TLS	docker-tls	Scan de ports port scan syn · via DOCKER TLS:2376 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_tls_emulated net_docker_tls_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "docker-tls", "app_proto": "docker-tls", "asn": 141679, "country": "CN", "dst_port": 2376, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f21ba41294d0290ba258c221013f4610a4db2a27", "event_fingerprint": "0e1c691ada97ecfe1cd84524e4db6b819b7ed10b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1da067582b1aac5d6c01c21e0739934c4729b99", "protocol_details": { "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER TLS \u2014 multi-protocole (11 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 1433, 2375, 2376, 3306, 5432, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 3.26, "multi_protocol_correlation": true, "multi_protocol_count": 11, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_tls_emulated", "net_docker_tls_probe" ] }
15/06/2026 15:34:32 UTC	TCP	23 · Telnet	telnet	Scan de ports port scan syn · via Telnet:23 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "telnet", "app_proto": "telnet", "asn": 141679, "country": "CN", "dst_port": 23, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "48d8b4c7f2062b33e6f848537fa0c8db6498193d", "event_fingerprint": "b01c5d414ece661f92cba2c282935e85d119d5b1", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7dbc040b9cb1a53a382d952cdc79ad2227ec11e", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Telnet \u2014 multi-protocole (12 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 23, 1433, 2375, 2376, 3306, 5432, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 12, "scan_velocity_ports_per_s": 3.52, "multi_protocol_correlation": true, "multi_protocol_count": 12, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "telnet_emulated" ] }
15/06/2026 15:34:32 UTC	TCP	22 · SSH	ssh	Scan de ports port scan syn · via SSH:22 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SSH WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast ssh_banner_grab ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "ssh", "app_proto": "ssh", "asn": 141679, "country": "CN", "dst_port": 22, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a9b517824c94778e6748155f74784f3a93add744", "event_fingerprint": "b4929bf32779aefad610d20ae581619a267ba9f6", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87e0ca97b7bdc4227f7650f13d3e74f6532996ff", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH \u2014 multi-protocole (13 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 13, "port_scan_ports_sample": [ 22, 23, 1433, 2375, 2376, 3306, 5432, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 13, "scan_velocity_ports_per_s": 3.8, "multi_protocol_correlation": true, "multi_protocol_count": 13, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "ssh_banner_grab", "ssh_emulated" ] }
15/06/2026 15:34:32 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_port_scan_fast rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "rdp", "app_proto": "rdp", "asn": 141679, "country": "CN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3e883454a29ace2a688535dc2bc3e66adc65508d", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6afe41ca5be6597013e0c45ff6276a5b8c62e579", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (14 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 14, "port_scan_ports_sample": [ 22, 23, 1433, 2375, 2376, 3306, 3389, 5432, 6379, 6443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 14, "scan_velocity_ports_per_s": 4.09, "multi_protocol_correlation": true, "multi_protocol_count": 14, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "k8s-api", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rdp_emulated" ] }
15/06/2026 15:34:30 UTC	TCP	6379 · REDIS	redis	Scan de ports port scan syn · via REDIS:6379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b504f4e470d0a", "emulator_response_len": 7, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "redis", "app_proto": "redis", "asn": 141679, "country": "CN", "dst_port": 6379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b10303bd0e441f9f60f46376cbc4ca72292b5068", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df7f465e8c98fe1d3ce6a12856769904de0f753d", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (6 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 1433, 6379, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 5.45, "multi_protocol_correlation": true, "multi_protocol_count": 6, "multi_protocol_sample": [ "elasticsearch", "kubelet", "memcached", "mongodb", "mssql", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated" ] }
15/06/2026 15:34:30 UTC	TCP	2375 · DOCKER	docker	Scan de ports port scan syn · via DOCKER:2375 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_emulated net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "docker", "app_proto": "docker", "asn": 141679, "country": "CN", "dst_port": 2375, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7fac8b9fb4e847c8c2abe3f25f6668d2413acad8", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "adb30dbbdc8b17793c3fbff47b2d1e3b4b172daf", "protocol_details": { "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER \u2014 multi-protocole (7 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 1433, 2375, 6379, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 6.07, "multi_protocol_correlation": true, "multi_protocol_count": 7, "multi_protocol_sample": [ "docker", "elasticsearch", "kubelet", "memcached", "mongodb", "mssql", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_emulated", "net_docker_api_probe" ] }
15/06/2026 15:34:29 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Sonde Elasticsearch elasticsearch probe · via ELASTICSEARCH:9200 · (sonde / probe)	Élevée	Faible · 22
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde Elasticsearch (REST) Émulateur ELASTICSEARCH WAF — Recommandation Surveiller Tags elasticsearch_emulated net_elasticsearch_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9200 Chemin / cible — Service ELASTICSEARCH Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 22 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 141679, "country": "CN", "dst_port": 9200, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 22, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6dfec99b98d53481ee9b4cf1a1a54e12b0341ca9", "event_fingerprint": "64ce65412bf1b81fa23464b76dd480979155e3d0", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 22 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 22 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "191a0c390e0c8bb3045189c33e41a4f22e6ddf86", "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 22 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 22, "risk_label": "Faible", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "elasticsearch_emulated", "net_elasticsearch_probe" ] }
15/06/2026 15:34:29 UTC	TCP	27017 · MONGODB	mongodb	Sonde port 27017/TCP port 27017 tcp · via MONGODB:27017 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur MONGODB WAF — Recommandation Surveiller Tags mongodb_emulated net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 27017 Chemin / cible — Preuve honeypot — Sonde port 27017/TCP Connexion détectée sur le port 27017 (TCP) du capteur simulé. Service MONGODB Pourquoi cette classification : Type « port_27017_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00", "emulator_response_len": 62, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mongodb", "app_proto": "mongodb", "asn": 141679, "country": "CN", "dst_port": 27017, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "529d9b2894453058f3efabc7b1a0f869e5afeac0", "event_fingerprint": "af0bf670397a78dc9d7687bcdee19adac845dc50", "classification_reason": "Type \u00ab port_27017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "mongodb_probe", "service_name": "mongodb", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2c43cfd3f83ceab071449b3f56a1f3e4" }, "target_context": { "dst_port": 27017, "service": "mongodb", "service_name": "mongodb", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1efaa49849ce2ec2df7b154399040d0350a0a17", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port 27017 tcp \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_27017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_27017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb", "service_label_fr": "MONGODB", "dst_port": 27017, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port 27017 tcp \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb", "service_banner": "honeypot-mongodb", "service_os": "linux", "dst_port": "27017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "elasticsearch", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_emulated", "net_mongodb_probe" ] }
15/06/2026 15:34:29 UTC	TCP	11211 · MEMCACHED	memcached	Scan de ports port scan syn · via MEMCACHED:11211 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MEMCACHED WAF — Recommandation Surveiller Tags memcached_emulated net_memcached_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 11211 Chemin / cible — Service MEMCACHED Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "56455253494f4e20312e362e360d0a", "emulator_response_len": 15, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "memcached", "app_proto": "memcached", "asn": 141679, "country": "CN", "dst_port": 11211, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "07d250de1613ce6c48278b47e5c33290f8ed10e2", "event_fingerprint": "2fcce8d4fd15e6ca50ec0235eeed2c6616def357", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "memcached", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 11211, "service": "memcached", "service_name": "memcached", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7538f2613c5189cfbd4ede7c7ddc179e0095168a", "protocol_details": { "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "memcached", "service_label_fr": "MEMCACHED", "dst_port": 11211, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-memcached", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "memcached", "service_banner": "honeypot-memcached", "service_os": "linux", "dst_port": "11211" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 25.56, "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "elasticsearch", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "memcached_emulated", "net_memcached_probe" ] }
15/06/2026 15:34:29 UTC	TCP	10250 · KUBELET	kubelet	Scan de ports port scan syn · via KUBELET:10250 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur KUBELET WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10250 Chemin / cible — Service KUBELET Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "kubelet", "app_proto": "kubelet", "asn": 141679, "country": "CN", "dst_port": 10250, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "6bd2b33f09a596c7caa65dbc72f849332a530856", "event_fingerprint": "a9c2cb9a599dbd42a424fa05e19f5cb77c52c216", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "kubelet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 10250, "service": "kubelet", "service_name": "kubelet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "769a4adb1eb6605b66ac8b172cd2fceaa368b28a", "protocol_details": { "port": 10250, "service": "kubelet", "service_label_fr": "KUBELET" }, "attack_vector": "port scan syn \u00b7 via KUBELET:10250 \u00b7 (reconnaissance)", "target_port_label": "10250 \u00b7 KUBELET", "emulator_service": "kubelet", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via KUBELET \u2014 multi-protocole (4 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "kubelet", "service_label_fr": "KUBELET", "dst_port": 10250, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Kubernetes kubelet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 10250, "service": "kubelet", "service_label_fr": "KUBELET" }, "attack_vector": "port scan syn \u00b7 via KUBELET:10250 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "10250 \u00b7 KUBELET", "emulator_service": "kubelet", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kubelet", "service_banner": "Kubernetes kubelet", "service_os": "linux", "dst_port": "10250" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 30.39, "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "elasticsearch", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
15/06/2026 15:34:29 UTC	TCP	1433 · MSSQL	mssql	Scan de ports port scan syn · via MSSQL:1433 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated net_mssql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "mssql", "app_proto": "mssql", "asn": 141679, "country": "CN", "dst_port": 1433, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1a5b2fa475f95e8d817d64405cb3644e25f7ec32", "event_fingerprint": "6e104f6072c052d0dd22893d2f1fa140642f7c7c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c32706d3e1b9c910f489c47b99a564e2479aaf2", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MSSQL \u2014 multi-protocole (5 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 1433, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 34.91, "multi_protocol_correlation": true, "multi_protocol_count": 5, "multi_protocol_sample": [ "elasticsearch", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "net_mssql_probe" ] }
15/06/2026 15:03:45 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /.git/config	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.git/config UA python-requests/2.32.3 Émulateur HTTP WAF 17 Recommandation Investiguer Tags 950468:nosqli-3 950513:leak-0 scanner-ua anomaly:scanner-ua Cible HTTP GET /.git/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.git/config Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0198 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.git/config Ligne de requête `GET /.git/config HTTP/1.1` User-Agent python-requests/2.32.3 Règles WAF nosqli-3 leak-0 scanner-ua Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept-Encoding: identity Connection: clo Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept-Encoding: identity Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/config", "http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 134, "payload_entropy": 4.933559598007272, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8080, "risk_waf": 76, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 76, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 56, "tag_count": 10, "anomaly_count": 1, "campaign_key": "c7cb10339889808149c7d415d538bce4afc902c8", "event_fingerprint": "df5851a413a7a9b921ef143a6764b6ce2d04b977", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0198" ], "matched_pattern_names": [ "Probe \/.git\/config" ], "pattern_ids": [ "pat-0198" ], "confidence_breakdown": { "waf": 76, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0", "payload_hash": "56d2422094c5e652023731cdc34c8aba", "path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: clo", "method": "GET", "path": "\/.git\/config", "user_agent": "python-requests\/2.32.3", "waf_tags": [ "950468:nosqli-3", "950513:leak-0", "scanner-ua" ], "waf_rule_names": [ "nosqli-3", "leak-0", "scanner-ua" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: clo", "evidence": { "method": "GET", "path": "\/.git\/config", "user_agent": "python-requests\/2.32.3", "waf_tags": [ "950468:nosqli-3", "950513:leak-0", "scanner-ua" ], "waf_rule_names": [ "nosqli-3", "leak-0", "scanner-ua" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: clo", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1fd7e409241d2bd43f7e133f0691e42c7433b88e", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "python-requests\/2.32.3", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: clo", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 76, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0198", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "python-requests\/2.32.3", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept-Encoding: identity\r\nConnection: clo", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 76 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950513:leak-0", "anomaly:scanner-ua", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
15/06/2026 15:03:44 UTC	TCP	8080 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:8080 · (tentative d'exploit) · → /v2/api-docs	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /v2/api-docs UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/api-docs TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /v2/api-docs Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 59 Confiance : Confiance 50 % — 4 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/api-docs HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /v2/api-docs HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/1 Requête brute (extrait) GET /v2/api-docs HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept-Encoding: identity Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30", "emulator_response_len": 222, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "3588cfa6854e65ff6880d19479c4f2f9c06bb918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 182, "payload_entropy": 5.247312739758525, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8080, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 7, "anomaly_count": 0, "campaign_key": "02c5ab7d03954ee498850df3a38eed0410a6dd43", "event_fingerprint": "99f257cdb6e3aee904577702f653f5e91c541cf1", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094", "payload_hash": "54b9ce1ccc5eed56843b9235a313844c", "path_pattern_hash": "c004c8540b15c732182a274aa2a835d6" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "method": "GET", "path": "\/v2\/api-docs", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/api-docs HTTP\/1.1", "request_sample": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "evidence": { "method": "GET", "path": "\/v2\/api-docs", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/api-docs HTTP\/1.1", "request_sample": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f8a3803476ea4a6b9ac4995194f1469c1a00de7", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/api-docs", "request_line": "GET \/v2\/api-docs HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "attack_vector": "lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/api-docs", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/api-docs", "request_line": "GET \/v2\/api-docs HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/api-docs", "evidence_snippet": "GET \/v2\/api-docs HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_v2_api_docs", "http_swagger_probe", "net_web_probe" ] }
15/06/2026 15:03:44 UTC	TCP	8080 · HTTP	http	graphql abuse graphql abuse · via HTTP:8080 · (sonde / probe) · → /graphql	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /graphql UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_probe_graphql net_web_probe Cible HTTP GET /graphql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /graphql Service HTTP Pourquoi cette classification : Type « graphql_abuse » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 45 Confiance : Confiance 59 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0674 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) GraphQL endpoint Probe /graphql Ligne de requête `GET /graphql HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /graphql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Requête brute (extrait) GET /graphql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept-Encoding: identity Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "370387a28101c54732aba985d8fe5d432377a671", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 178, "payload_entropy": 5.288269353085474, "port_category": "registered", "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "service": "http", "app_proto": "http", "asn": 141679, "country": "CN", "dst_port": 8080, "risk_waf": 60, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8b0dadde0ef5a775e043441b15b356c05f2131cc", "event_fingerprint": "899cb9122897d76acc31ff3730ec7fd29bf03da5", "classification_reason": "Type \u00ab graphql_abuse \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0674" ], "kb_rule_ids": [ "pat-0674" ], "matched_patterns": [ "pat-0674", "pat-0258" ], "matched_pattern_names": [ "GraphQL endpoint", "Probe \/graphql" ], "pattern_ids": [ "pat-0674", "pat-0258" ], "confidence_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 141679, "org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094", "payload_hash": "758dc1ff3197f1e5786d2d1efefeafff", "path_pattern_hash": "e6862b57c5407b8605e57256a264e59d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "method": "GET", "path": "\/graphql", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/graphql HTTP\/1.1", "request_sample": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "evidence": { "method": "GET", "path": "\/graphql", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/graphql HTTP\/1.1", "request_sample": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept-Encoding: identity\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "classification_reason": "Type \u00ab graphql_abuse \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d347c9fcde0387d854887197634e329e6383c1d4", "protocol_details": { "http_method": "GET", "http_path": "\/graphql", "request_line": "GET \/graphql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "attack_vector": "graphql abuse \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/graphql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab graphql_abuse \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab graphql_abuse \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 59, "confidence_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0674" ], "tags_summary_labels_fr": [ "pat-0674" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/graphql", "request_line": "GET \/graphql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "graphql abuse \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/graphql", "evidence_snippet": "GET \/graphql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_graphql", "net_web_probe" ] }

111.228.50.25

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence