{"ip":"130.12.180.153","exported_at":"2026-07-18T02:33:22+00:00","period_days":1,"metrics":{"events7d":73,"distinct_ports":73,"distinct_classifications":73,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":48,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":0,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":73,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":0,"novelty":0,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0348"],"tags_summary":["pat-0348"],"attack_vector":"port 3027 tcp \u00b7 port 3027 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000","port":3027},"protocol_summary_fr":"Payload \u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003","evidence_snippet":"\ufffd","target_port_label":"3027","emulator_service":null,"confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes","classification_reason":"Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"\ufffd"},"events":[{"id":12711971,"ip":"130.12.180.153","ts":"2026-07-18 02:23:10.000000","proto":"tcp","src_port":57874,"dst_port":3027,"service":null,"classification":"port_3027_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3027, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022507a55b52a1ae419cb96d02fe9523bd08e333b63\u0022, \u0022event_fingerprint\u0022: \u002250bfb1348a24dcf85e577253427a307b100b5ab2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022e05954ac8f3d8c5d14fe6fa2f9f94b57\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3027, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e1921b5d36e22d388898f1a20a63ac8ef3c0d859\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3027}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3027 tcp \u00b7 port 3027 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223027\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3027_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3027, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3027}, \u0022attack_vector\u0022: \u0022port 3027 tcp \u00b7 port 3027 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223027\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223027\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12710983,"ip":"130.12.180.153","ts":"2026-07-18 02:07:38.000000","proto":"tcp","src_port":54731,"dst_port":3091,"service":null,"classification":"port_3091_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3091, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a266c82219d40a72dd72c8d13cb51c27238476de\u0022, \u0022event_fingerprint\u0022: \u0022b3f0b6feb23e52f80aeb2e349ffc8094a675746d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3091_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00226516bf7eeb05bfbebef5e3a3ddae21b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3091, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3091_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ec901754eb310f3a4f44a23881ba2609a9dd4398\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3091}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3091 tcp \u00b7 port 3091 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223091\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3091_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3091_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3091, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3091}, \u0022attack_vector\u0022: \u0022port 3091 tcp \u00b7 port 3091 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223091\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223091\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12707166,"ip":"130.12.180.153","ts":"2026-07-18 01:12:59.000000","proto":"tcp","src_port":62863,"dst_port":3065,"service":null,"classification":"port_3065_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002298e55a0a09003d42a5ccad74a61f7c8fe70a9d99\u0022, \u0022event_fingerprint\u0022: \u002273ab30ed8a16d46fcd49a0dd0cb1df1e92ee7ea6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022f0816a86539c8cfc6090ce005d2de629\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3065, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c5d070b82a35d6793eb48b145859d358dab3ccb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3065}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3065 tcp \u00b7 port 3065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223065\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3065, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3065}, \u0022attack_vector\u0022: \u0022port 3065 tcp \u00b7 port 3065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223065\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3005\u0022, \u0022port:3065\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12707070,"ip":"130.12.180.153","ts":"2026-07-18 01:12:17.000000","proto":"tcp","src_port":62459,"dst_port":3005,"service":null,"classification":"port_3005_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3005, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ce50fefe174c2345fa5d9fa9cff7e9df521ee4f6\u0022, \u0022event_fingerprint\u0022: \u0022eb9a8bca52e05aee8faa343a31a8940b297251a9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3005_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00223b0c2a2f5d8547628ce243bddd5623b9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3005, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3005_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0e1d836940865d32fc457676c66c33ab386dc54\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3005}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3005 tcp \u00b7 port 3005 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223005\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3005_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3005_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3005, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3005}, \u0022attack_vector\u0022: \u0022port 3005 tcp \u00b7 port 3005 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223005\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12705452,"ip":"130.12.180.153","ts":"2026-07-18 00:44:03.000000","proto":"tcp","src_port":55155,"dst_port":3043,"service":null,"classification":"port_3043_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3043, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a399aab207a1e5398682cab21f048d64296d77fd\u0022, \u0022event_fingerprint\u0022: \u0022c7d3d5565f5dc6906c1fddab8709c7049abb1ed0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00228eb223978e33b3b721282a768298b860\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3043, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b57af6186b282fad787d7c2a2719f754e9a662d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3043}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3043 tcp \u00b7 port 3043 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223043\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3043, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3043}, \u0022attack_vector\u0022: \u0022port 3043 tcp \u00b7 port 3043 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223043\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223043\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12703978,"ip":"130.12.180.153","ts":"2026-07-18 00:19:48.000000","proto":"tcp","src_port":64515,"dst_port":3096,"service":null,"classification":"port_3096_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3096, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226b59ed27e8f3967b2b155e0b7b666be03804316e\u0022, \u0022event_fingerprint\u0022: \u002287dbe43c4034062c8f76ae03591c7d7b460a1be9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3096_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00223b234e8726e9b9e9f724e0fd9229dc5d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3096, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3096_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227133a1b678cd1ca47e69f3f6f025721e4cfdff7f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3096}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3096 tcp \u00b7 port 3096 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223096\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3096_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3096_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3096, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3096}, \u0022attack_vector\u0022: \u0022port 3096 tcp \u00b7 port 3096 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223096\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223096\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12701007,"ip":"130.12.180.153","ts":"2026-07-17 23:31:39.000000","proto":"tcp","src_port":58068,"dst_port":3056,"service":null,"classification":"port_3056_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3056, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226a5341a7f5b85a6dc96e20ec76dae1117b9f95f7\u0022, \u0022event_fingerprint\u0022: \u0022584c94cceb7595030bff7136f16e8c84bda0d4f4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3056_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022c70b8c869050364ed6cc7849f8d2fdbf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3056, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3056_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b2c1e83f3d3bd38dfc13d12c361dbea9567188b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3056}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3056 tcp \u00b7 port 3056 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223056\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3056_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3056_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3056, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3056}, \u0022attack_vector\u0022: \u0022port 3056 tcp \u00b7 port 3056 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223056\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223056\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12700602,"ip":"130.12.180.153","ts":"2026-07-17 23:26:02.000000","proto":"tcp","src_port":59172,"dst_port":3021,"service":null,"classification":"port_3021_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3021, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ebab52e6ea5c5583eb7cde2b9044c4348297677d\u0022, \u0022event_fingerprint\u0022: \u0022c5adca35af239f54c85783460ce45fbac95c9394\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3021_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022703fde516b73d3d4bd06999f225d9348\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3021, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3021_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280b6f6e2f0b9c925a1f0d736f0684a674655f6c1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3021}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3021 tcp \u00b7 port 3021 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223021\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3021_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3021_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3021, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3021}, \u0022attack_vector\u0022: \u0022port 3021 tcp \u00b7 port 3021 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223021\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223021\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3021\u0022, \u0022port:3062\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12700596,"ip":"130.12.180.153","ts":"2026-07-17 23:25:55.000000","proto":"tcp","src_port":64856,"dst_port":3062,"service":null,"classification":"port_3062_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3062, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220786192cb8e4dce1604c0d4c094f3da37e62dc29\u0022, \u0022event_fingerprint\u0022: \u00225d81e7015c06d742fbf64c78b6a6c92fe445f72c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3062_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022e59e99803a3f4eb5e86bf6dcc8823d44\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3062, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3062_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c6223a4121ecbd8c9ff30cfc83b8b4461c4a8803\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3062}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3062 tcp \u00b7 port 3062 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223062\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3062_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3062_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3062, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3062}, \u0022attack_vector\u0022: \u0022port 3062 tcp \u00b7 port 3062 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223062\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223062\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12698360,"ip":"130.12.180.153","ts":"2026-07-17 22:49:20.000000","proto":"tcp","src_port":57384,"dst_port":3067,"service":null,"classification":"port_3067_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3067, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002299ff7ada6a4b64af873ff1eb671a2e3b2f60bfa3\u0022, \u0022event_fingerprint\u0022: \u0022f7f1af3cf362760dcdc61954f335098b7c3ab799\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002281912a849fb9e1a06997c5bfd634ebf7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3067, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220bc12b99f0057e32f34a231fe796e58ef119115e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3067}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3067 tcp \u00b7 port 3067 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223067\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3067, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3067}, \u0022attack_vector\u0022: \u0022port 3067 tcp \u00b7 port 3067 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223067\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223067\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3064\u0022, \u0022port:3067\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12698190,"ip":"130.12.180.153","ts":"2026-07-17 22:46:13.000000","proto":"tcp","src_port":62958,"dst_port":3064,"service":null,"classification":"port_3064_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3064, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220955596a3b06d0631e58d3a98a858a0eb6c2af02\u0022, \u0022event_fingerprint\u0022: \u00223c321d0b532264ec6aa7d130bd0653745cf110e1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3064_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00228fa83fbca06ab54cd3ffd0177cb8f29e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3064, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3064_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222fd64361694f14f7aff4fd7a7d6d14be728d2b55\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3064}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3064 tcp \u00b7 port 3064 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223064\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3064_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3064_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3064, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3064}, \u0022attack_vector\u0022: \u0022port 3064 tcp \u00b7 port 3064 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223064\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223064\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12696819,"ip":"130.12.180.153","ts":"2026-07-17 22:20:24.000000","proto":"tcp","src_port":55479,"dst_port":3059,"service":null,"classification":"port_3059_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3059, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e27be9cc873897fb3602f4067d429c5fa7d53c8b\u0022, \u0022event_fingerprint\u0022: \u0022dd5fa22053f635e9b2b92692443ed2c7668456f3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3059_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022ada04a9e1228f201d2618d2e545fd529\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3059, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3059_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022600451d672ba25f871c353ced9bf09f9a53b87fc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3059}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3059 tcp \u00b7 port 3059 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223059\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3059_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3059_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3059, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3059}, \u0022attack_vector\u0022: \u0022port 3059 tcp \u00b7 port 3059 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223059\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223059\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3031\u0022, \u0022port:3059\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12696572,"ip":"130.12.180.153","ts":"2026-07-17 22:17:48.000000","proto":"tcp","src_port":56241,"dst_port":3031,"service":null,"classification":"port_3031_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3031, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207d90f4341ea3fe2f9146e6d0d6342e14d542bf9\u0022, \u0022event_fingerprint\u0022: \u0022291d3fe9f0b9b2cc92fd483456d160208a3e8e64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3031_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00220d5c0da6798b68aaf7e9ab5e8c7a7284\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3031, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3031_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002279fe60e964a7b9cec4007705a859d38956d92119\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3031}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3031 tcp \u00b7 port 3031 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223031\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3031_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3031_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3031, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3031}, \u0022attack_vector\u0022: \u0022port 3031 tcp \u00b7 port 3031 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223031\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223031\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3031\u0022, \u0022port:3076\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12696390,"ip":"130.12.180.153","ts":"2026-07-17 22:14:59.000000","proto":"tcp","src_port":62052,"dst_port":3076,"service":null,"classification":"port_3076_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3076, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f33117ecb9feb271dd3cb4f0cbc5cc79437daf09\u0022, \u0022event_fingerprint\u0022: \u00228b61d5f8ee4a9190baf5ae2c8467f76e33ef2270\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022a982c2bd83833c5e6de2cd4caec2c50c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3076, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255bd98eb52648f3d8bd0d698d041063bb13dd5c6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3076}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3076 tcp \u00b7 port 3076 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223076\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3076, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3076}, \u0022attack_vector\u0022: \u0022port 3076 tcp \u00b7 port 3076 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223076\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223076\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12694591,"ip":"130.12.180.153","ts":"2026-07-17 21:50:57.000000","proto":"tcp","src_port":53634,"dst_port":3012,"service":null,"classification":"port_3012_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ccfe4ff6d704fc2cf2649db0d3d5a2ca4cdd1874\u0022, \u0022event_fingerprint\u0022: \u0022e775f98cebae39b767c47e0125ebe9dd399ee39e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3012_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022433f025f8927eea5ab369904544b2058\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3012_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220f605891b8f48eb1a92ece6f60cde419ad79cad4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3012}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3012 tcp \u00b7 port 3012 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223012\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3012_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3012_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3012}, \u0022attack_vector\u0022: \u0022port 3012 tcp \u00b7 port 3012 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223012\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3012\u0022, \u0022port:3088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12694368,"ip":"130.12.180.153","ts":"2026-07-17 21:47:08.000000","proto":"tcp","src_port":54580,"dst_port":3088,"service":null,"classification":"port_3088_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3088, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002249e99cd8913e07055c0dc4a204f0ae68e395b8aa\u0022, \u0022event_fingerprint\u0022: \u0022801c9a0cb545b1320cae09fe8826da86e6113808\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3088_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022235942d0f37d34a982e338c10064552c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3088, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3088_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e94fcb31902caf0de95bef7dc970334bbf16c0f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3088}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3088 tcp \u00b7 port 3088 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223088\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3088_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3088_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3088, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3088}, \u0022attack_vector\u0022: \u0022port 3088 tcp \u00b7 port 3088 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223088\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12693844,"ip":"130.12.180.153","ts":"2026-07-17 21:37:49.000000","proto":"tcp","src_port":60688,"dst_port":3082,"service":null,"classification":"port_3082_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3082, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002265250ae1bbd8a8d3d002338f8cdf611df697ca64\u0022, \u0022event_fingerprint\u0022: \u0022d27584e4e545f485a8cf99e4c7292232884055da\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002284fb163943414a64a646f15b53701bcb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3082, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220edac4eccf9324ca759b6524541b5015ee03e5b4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3082}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3082 tcp \u00b7 port 3082 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223082\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3082, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3082}, \u0022attack_vector\u0022: \u0022port 3082 tcp \u00b7 port 3082 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223082\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223082\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3082\u0022, \u0022port:3089\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12693640,"ip":"130.12.180.153","ts":"2026-07-17 21:36:55.000000","proto":"tcp","src_port":53095,"dst_port":3089,"service":null,"classification":"port_3089_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3089, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d73430f31e8ecd37cb2803be1197ed5f250d2762\u0022, \u0022event_fingerprint\u0022: \u00222563074063d40481dc5e53cb7fe74b7812ca7884\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00226cb979b4c01f8c9bf15561f0dc7730c8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3089, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b066b3a940420534d05a2e2659a3ea664132fd5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3089}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3089 tcp \u00b7 port 3089 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223089\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3089, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3089}, \u0022attack_vector\u0022: \u0022port 3089 tcp \u00b7 port 3089 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223089\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223089\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12691344,"ip":"130.12.180.153","ts":"2026-07-17 21:00:59.000000","proto":"tcp","src_port":62481,"dst_port":3000,"service":"node-http","classification":"port_3000_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: \u0022node-http\u0022, \u0022app_proto\u0022: \u0022node-http\u0022, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227c356cd3f41196ebc417361b0f54b35bbef962c4\u0022, \u0022event_fingerprint\u0022: \u002234fd482cd7628741af06d058b16059cafd546c90\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022de50f9f577f16d6306784e912d28b67c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aff2f233e95dd8b30f13c7289f75118930528c78\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3000 tcp \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 3000 tcp \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022node_http\u0022, \u0022service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022node-http\u0022, \u0022port:3044\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":19},{"id":12690997,"ip":"130.12.180.153","ts":"2026-07-17 20:56:23.000000","proto":"tcp","src_port":59996,"dst_port":3044,"service":null,"classification":"port_3044_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3044, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a31ecba54886730ea74db0b939eabcb145b1d4f\u0022, \u0022event_fingerprint\u0022: \u00221a833c7cc580c4aeb3842dc21aa399b7299521dc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3044_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00224e33f866ee10fadbef93259404e7365e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3044, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3044_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ffaaa8e7143bc0778279d77f3c3d87425557204a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3044}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3044 tcp \u00b7 port 3044 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223044\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3044_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3044_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3044, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3044}, \u0022attack_vector\u0022: \u0022port 3044 tcp \u00b7 port 3044 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223044\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223044\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12687858,"ip":"130.12.180.153","ts":"2026-07-17 20:09:09.000000","proto":"tcp","src_port":49153,"dst_port":3009,"service":null,"classification":"port_3009_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3009, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222088ad7c72dd2c62dde88a8b7a41c99b373618b7\u0022, \u0022event_fingerprint\u0022: \u00225ff3af03d081d56ae0621998d2238847c9299305\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3009_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00222a5d94030beed2e41dfa2912328fc7de\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3009, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3009_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209e4f0193fd7bfadf18e311ca0d68ad1b2abc125\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3009}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3009 tcp \u00b7 port 3009 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223009\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3009_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3009_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3009, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3009}, \u0022attack_vector\u0022: \u0022port 3009 tcp \u00b7 port 3009 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223009\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223009\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3003\u0022, \u0022port:3009\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12687631,"ip":"130.12.180.153","ts":"2026-07-17 20:07:34.000000","proto":"tcp","src_port":57597,"dst_port":3003,"service":null,"classification":"port_3003_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3003, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dab6a81d38d27aadb06aad499fffc47e4d746855\u0022, \u0022event_fingerprint\u0022: \u00229a841e79870f59f81b076dcf4286aa06b40fbadf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002272fd36f9bb0ed871ef1c3d5bfdd1a6f9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3003, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225d7fa9c43a37b31b05a43101599c656d38f38ff9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3003}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3003 tcp \u00b7 port 3003 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223003\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3003, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3003}, \u0022attack_vector\u0022: \u0022port 3003 tcp \u00b7 port 3003 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223003\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223003\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12684283,"ip":"130.12.180.153","ts":"2026-07-17 19:16:23.000000","proto":"tcp","src_port":49427,"dst_port":3057,"service":null,"classification":"port_3057_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3057, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022257de47417c122e65a8f2f0e0ab5402c1121099e\u0022, \u0022event_fingerprint\u0022: \u0022f0cd1c9c9bac04562e2d68ba76ba45664b44d717\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3057_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022beb46d42d8a39801ad812cc3256e6fa0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3057, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3057_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229b7b18654f738661e086fc41824d5b9ff60e5d89\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3057}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3057 tcp \u00b7 port 3057 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223057\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3057_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3057_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3057, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3057}, \u0022attack_vector\u0022: \u0022port 3057 tcp \u00b7 port 3057 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223057\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223057\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12683445,"ip":"130.12.180.153","ts":"2026-07-17 19:06:21.000000","proto":"tcp","src_port":62860,"dst_port":3053,"service":null,"classification":"port_3053_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3053, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d0622fc9466ca05680e5e0e59dfe714515a2c8ad\u0022, \u0022event_fingerprint\u0022: \u0022d70d7dad8f2616a5eaa750aa4b356deb131adb16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002270175a907b090ac6169787425afa104c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3053, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002287d3aeb8a5bc3fa77248d5628fc2b9ce46e40104\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3053}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3053 tcp \u00b7 port 3053 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223053\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3053, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3053}, \u0022attack_vector\u0022: \u0022port 3053 tcp \u00b7 port 3053 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223053\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223053\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12682843,"ip":"130.12.180.153","ts":"2026-07-17 18:55:55.000000","proto":"tcp","src_port":52294,"dst_port":3051,"service":null,"classification":"port_3051_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3051, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ff77b52ec068218708b6eb9c523ecb3dbc0a9434\u0022, \u0022event_fingerprint\u0022: \u00220443ec350d4fd5b547a165f3e12898b923ccbc23\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3051_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002255af075328e938ab36b0c79fe318bf58\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3051, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3051_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a1b8d640cdcabf1d07a5a04a6de12b0182726639\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3051}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3051 tcp \u00b7 port 3051 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223051\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3051_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3051_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3051, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3051}, \u0022attack_vector\u0022: \u0022port 3051 tcp \u00b7 port 3051 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223051\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223051\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12682126,"ip":"130.12.180.153","ts":"2026-07-17 18:44:31.000000","proto":"tcp","src_port":61756,"dst_port":3054,"service":null,"classification":"port_3054_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3054, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283eeb7fc6342b9d9b34fa847d52c09b0a300084a\u0022, \u0022event_fingerprint\u0022: \u00227dece8dda034d58ff5cbc4d994757efbb13fd0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022fe479951cefb8ee319407eca0f76b89e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3054, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255c29ba2c7c9ccbced0a4c5604c188aa5bb4641b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3054}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3054 tcp \u00b7 port 3054 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223054\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3054, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3054}, \u0022attack_vector\u0022: \u0022port 3054 tcp \u00b7 port 3054 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223054\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223054\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3054\u0022, \u0022port:3063\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12682107,"ip":"130.12.180.153","ts":"2026-07-17 18:44:05.000000","proto":"tcp","src_port":53604,"dst_port":3063,"service":null,"classification":"port_3063_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3063, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d3bff1591286ff17601833bc59dcd7a5b7298b75\u0022, \u0022event_fingerprint\u0022: \u0022e447cc77e2f8225a7c35227011c0ba18abbe3654\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022dbd9d10bb5fadb95971d1901235dcb56\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3063, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ca37da093a0c80e0b6e6018499464513230a6e4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3063}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3063 tcp \u00b7 port 3063 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223063\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3063, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3063}, \u0022attack_vector\u0022: \u0022port 3063 tcp \u00b7 port 3063 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223063\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223063\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12681498,"ip":"130.12.180.153","ts":"2026-07-17 18:34:19.000000","proto":"tcp","src_port":49748,"dst_port":3047,"service":null,"classification":"port_3047_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3047, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220e967bd9ca1c5b2697070e70e0eae5d60bcc63ee\u0022, \u0022event_fingerprint\u0022: \u00225f451a3e9255b3834b8381061e7eec813434fbeb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3047_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022e0bbe1993d045a0ea8214ac042267341\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3047, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3047_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b29110cac1c25efbeee50c19251185b5b5afd22\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3047}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3047 tcp \u00b7 port 3047 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223047\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3047_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3047_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3047, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3047}, \u0022attack_vector\u0022: \u0022port 3047 tcp \u00b7 port 3047 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223047\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223047\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3047\u0022, \u0022port:3060\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12681470,"ip":"130.12.180.153","ts":"2026-07-17 18:33:40.000000","proto":"tcp","src_port":58210,"dst_port":3060,"service":null,"classification":"port_3060_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224951a879a2b292e8125785ac3d57507056a3b5f1\u0022, \u0022event_fingerprint\u0022: \u002237bb408ed56198eba9d961415fe1e52c9bf99d43\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002246c9a2af46639ce8307cacb51973ad9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3060, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cc3b57f149acad3926175024d074f9a62d9d534c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3060}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3060 tcp \u00b7 port 3060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223060\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3060, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3060}, \u0022attack_vector\u0022: \u0022port 3060 tcp \u00b7 port 3060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223060\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12678321,"ip":"130.12.180.153","ts":"2026-07-17 17:43:47.000000","proto":"tcp","src_port":52264,"dst_port":3041,"service":null,"classification":"port_3041_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3041, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d4674e32393a8a077a34b97556010cf5782b0426\u0022, \u0022event_fingerprint\u0022: \u0022ddf70161787ab7f2f381fea03314ac2b1e68c7df\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3041_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002259deff647f506917c590902bb9799498\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3041, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3041_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dcbf93ff18c0a2e262cd312d26bbed6b6517754b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3041}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3041 tcp \u00b7 port 3041 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223041\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3041_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3041_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3041, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3041}, \u0022attack_vector\u0022: \u0022port 3041 tcp \u00b7 port 3041 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223041\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223041\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12674679,"ip":"130.12.180.153","ts":"2026-07-17 16:54:34.000000","proto":"tcp","src_port":52235,"dst_port":3099,"service":null,"classification":"port_3099_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3099, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225452ceeece641067355a16d18562bd852bd902c5\u0022, \u0022event_fingerprint\u0022: \u0022a0974280b851f16fcc9b4c17e68df25ef0e11651\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022cf64644ca6e0073d606522f368f2477d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3099, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc8db98507971f7942ec60c06b8b540e7c03b9a7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3099}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3099 tcp \u00b7 port 3099 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223099\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3099, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3099}, \u0022attack_vector\u0022: \u0022port 3099 tcp \u00b7 port 3099 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223099\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223099\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12672080,"ip":"130.12.180.153","ts":"2026-07-17 16:15:50.000000","proto":"tcp","src_port":56265,"dst_port":3032,"service":null,"classification":"port_3032_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3032, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222c9a3eabc2f26ba0ff64b5bf67a997ad9d1efbd\u0022, \u0022event_fingerprint\u0022: \u0022ec3f427ee7ea890166f6191d8c438953eb1946e9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3032_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022802d2988a3350171d11305cef7b46bd4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3032, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3032_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d08da763eff805533b6bc6d9d11a86d15098fa56\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3032}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3032 tcp \u00b7 port 3032 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223032\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3032_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3032_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3032, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3032}, \u0022attack_vector\u0022: \u0022port 3032 tcp \u00b7 port 3032 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223032\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223032\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12671777,"ip":"130.12.180.153","ts":"2026-07-17 16:10:31.000000","proto":"tcp","src_port":64244,"dst_port":3090,"service":null,"classification":"port_3090_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223e474b01bcfe702f987d284aa318aca40907b78f\u0022, \u0022event_fingerprint\u0022: \u0022a9383d6b159bf51fe654e43b90cb78001df5b3ee\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022158a2d4538233381d8fcdef6d59c9d1a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3090, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022007ba92e883be80fa4fdb09aad331fd53687f64d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3090}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3090 tcp \u00b7 port 3090 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223090\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3090, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3090}, \u0022attack_vector\u0022: \u0022port 3090 tcp \u00b7 port 3090 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223090\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3006\u0022, \u0022port:3090\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12671527,"ip":"130.12.180.153","ts":"2026-07-17 16:06:02.000000","proto":"tcp","src_port":64662,"dst_port":3006,"service":null,"classification":"port_3006_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3006, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222e8cd947e26c0b7b64b6429d3576e12bedd260c5\u0022, \u0022event_fingerprint\u0022: \u0022edd93c236eddb9133f31d1737cd8c58e97b8c490\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3006_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002248a890c1107cfbde6343d7ef187b6202\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3006, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3006_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022151a56f6e15aa395b91b9b621e549bf1e2c45279\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3006}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3006 tcp \u00b7 port 3006 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223006\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3006_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3006_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3006, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3006}, \u0022attack_vector\u0022: \u0022port 3006 tcp \u00b7 port 3006 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223006\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223006\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12669668,"ip":"130.12.180.153","ts":"2026-07-17 15:31:25.000000","proto":"tcp","src_port":51623,"dst_port":3093,"service":null,"classification":"port_3093_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3093, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b609812781606ba43dd80810d09b70e0500ba5db\u0022, \u0022event_fingerprint\u0022: \u0022a429fb137921023112f431850d791c2bff294971\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3093_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00228b5b902d95e02f1127f7c9db839e1795\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3093, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3093_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e80a87e054a504de48ddef8d96daccd8a6d47289\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3093}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3093 tcp \u00b7 port 3093 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223093\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3093_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3093_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3093, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3093}, \u0022attack_vector\u0022: \u0022port 3093 tcp \u00b7 port 3093 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223093\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223093\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3048\u0022, \u0022port:3093\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12669616,"ip":"130.12.180.153","ts":"2026-07-17 15:30:22.000000","proto":"tcp","src_port":63087,"dst_port":3048,"service":null,"classification":"port_3048_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3048, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a365831f4c8802647b8a9ee8e9537e6479310f9c\u0022, \u0022event_fingerprint\u0022: \u00227dfe900645d9dc31d1179f2cec153defa54ce8f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022213221d48015888cba6a98288794035f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3048, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bf3f27fc2b0edd9d7a715c40549daf26287ed7fa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3048}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3048 tcp \u00b7 port 3048 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223048\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3048, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3048}, \u0022attack_vector\u0022: \u0022port 3048 tcp \u00b7 port 3048 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223048\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223048\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12668958,"ip":"130.12.180.153","ts":"2026-07-17 15:21:32.000000","proto":"tcp","src_port":58083,"dst_port":3029,"service":null,"classification":"port_3029_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3029, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002291703cb0ff7873369d246cd8ae0b01e141330193\u0022, \u0022event_fingerprint\u0022: \u002232da74fd9ae8701c047f12238d4ee3789cd580b2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022a171e6853904db4df090557ecdc14b2b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3029, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f924cc652ea9e1de9d498b44e5564a454c8d531\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3029}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3029 tcp \u00b7 port 3029 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223029\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3029, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3029}, \u0022attack_vector\u0022: \u0022port 3029 tcp \u00b7 port 3029 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223029\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223029\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12663488,"ip":"130.12.180.153","ts":"2026-07-17 13:57:48.000000","proto":"tcp","src_port":53719,"dst_port":3023,"service":null,"classification":"port_3023_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3023, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cc5cdda1ad0521008d614a04562bd62d03d935a8\u0022, \u0022event_fingerprint\u0022: \u002262f699a82a7a9df51053e35fd4b63f2a7a92e4bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002210242e20120557ee094fba484c37a639\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3023, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022145b4ee55d8ae2ffb6fc994b0b6e73ff8370a3c4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3023}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3023 tcp \u00b7 port 3023 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223023\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3023, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3023}, \u0022attack_vector\u0022: \u0022port 3023 tcp \u00b7 port 3023 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223023\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223023\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12658084,"ip":"130.12.180.153","ts":"2026-07-17 12:38:38.000000","proto":"tcp","src_port":57132,"dst_port":3087,"service":null,"classification":"port_3087_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3087, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b39f0aca759f400841d78a4d3125af698ff4dd8d\u0022, \u0022event_fingerprint\u0022: \u00228c19c99b5d01bd7671eb14baff726677e95565b6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002249f772b9fd365039c833d0b8a4e5af00\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3087, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa267c15fafe97b97ab720d79af30fd477a1ab09\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3087}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3087 tcp \u00b7 port 3087 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223087\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3087, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3087}, \u0022attack_vector\u0022: \u0022port 3087 tcp \u00b7 port 3087 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223087\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223087\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12656586,"ip":"130.12.180.153","ts":"2026-07-17 11:53:54.000000","proto":"tcp","src_port":60421,"dst_port":3026,"service":null,"classification":"port_3026_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3026, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022690b34e376b512752b8aeba10110c6e2cd981039\u0022, \u0022event_fingerprint\u0022: \u002261d125b1cc3439dc3ad9c543802826fd05f4064c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3026_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022ba54a350c36747a2ffff1091e3d9ee17\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3026, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3026_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a14724bf676bccb9f6996759d6151ce6e9d96146\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3026}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3026 tcp \u00b7 port 3026 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223026\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3026_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3026_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3026, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3026}, \u0022attack_vector\u0022: \u0022port 3026 tcp \u00b7 port 3026 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223026\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223026\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3026\u0022, \u0022port:3084\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12656556,"ip":"130.12.180.153","ts":"2026-07-17 11:53:02.000000","proto":"tcp","src_port":58452,"dst_port":3084,"service":null,"classification":"port_3084_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3084, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a8b9f6a616ded354f7fdafcde9c98bd89879e8d\u0022, \u0022event_fingerprint\u0022: \u0022362bd8a16c62446b665dca923c17e7009fbae7ab\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022f1873b8024a6036979f80fbec07f798b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3084, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221bff140e0c8e123582fa1d5125dff93437887ec0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3084}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3084 tcp \u00b7 port 3084 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223084\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3084, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3084}, \u0022attack_vector\u0022: \u0022port 3084 tcp \u00b7 port 3084 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223084\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223084\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12655571,"ip":"130.12.180.153","ts":"2026-07-17 11:23:03.000000","proto":"tcp","src_port":63280,"dst_port":3028,"service":null,"classification":"port_3028_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3028, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022be63a711e1f3f8f5d2a989ad33dea796167d78d1\u0022, \u0022event_fingerprint\u0022: \u0022b050ec31b3b2b391ee289c3dd54f12d72e6ebf71\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3028_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022377977dbc802c98d96209ddcaf2089ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3028, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3028_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022202eeb3838462cae9975ad9d92e110e1d9d8e936\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3028}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3028 tcp \u00b7 port 3028 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223028\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3028_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3028_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3028, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3028}, \u0022attack_vector\u0022: \u0022port 3028 tcp \u00b7 port 3028 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223028\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223028\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12654529,"ip":"130.12.180.153","ts":"2026-07-17 10:59:52.000000","proto":"tcp","src_port":57695,"dst_port":3020,"service":null,"classification":"port_3020_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cb7170d5dd4039210e32bf0e88f4f824e92c7b6b\u0022, \u0022event_fingerprint\u0022: \u00224f5701d8744dd254a057267269961ea32fcc24da\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3020_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00227137eb3c71590fb8c4644c5d4ff543fd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3020, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3020_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb289044cbaeb2171d96eeca762173565d47142e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3020}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3020 tcp \u00b7 port 3020 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223020\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3020_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3020_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3020, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3020}, \u0022attack_vector\u0022: \u0022port 3020 tcp \u00b7 port 3020 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223020\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12653688,"ip":"130.12.180.153","ts":"2026-07-17 10:40:58.000000","proto":"tcp","src_port":57168,"dst_port":3014,"service":null,"classification":"port_3014_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3014, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002297958a90a8f75103df785795c4295e096f83eae1\u0022, \u0022event_fingerprint\u0022: \u0022d6feb5ed8bdb3d324bf819cf5b3f82477f8622bd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022e713212ec73d2b5aaa6c8962c77ccd8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3014, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002277b932279ff896f1c711f68b5b73084ed21b8da9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3014}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3014 tcp \u00b7 port 3014 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223014\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3014, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3014}, \u0022attack_vector\u0022: \u0022port 3014 tcp \u00b7 port 3014 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223014\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223014\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12653089,"ip":"130.12.180.153","ts":"2026-07-17 10:29:03.000000","proto":"tcp","src_port":64721,"dst_port":3025,"service":null,"classification":"port_3025_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3025, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002245b555ef440acbefe97046211fbd2dfcf52caf32\u0022, \u0022event_fingerprint\u0022: \u0022821068b59e5cc9c76284de143b47707acb34491b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3025_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022a5d0eb74aaa67125b2ac41206bda887d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3025, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3025_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002262dc9418afd693dd6f6c9aecbde632bd01f1f453\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3025}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3025 tcp \u00b7 port 3025 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223025\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3025_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3025_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3025, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3025}, \u0022attack_vector\u0022: \u0022port 3025 tcp \u00b7 port 3025 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223025\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223025\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12651951,"ip":"130.12.180.153","ts":"2026-07-17 10:05:09.000000","proto":"tcp","src_port":60457,"dst_port":3011,"service":null,"classification":"port_3011_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3011, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac5a9a02eae842307c8b1508eb40ef77662df714\u0022, \u0022event_fingerprint\u0022: \u002233b392ac4d26dda73e50796b54385c451dcfb2b4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002289c35c09cc92d271795ab4542ae70bed\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3011, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb2ad0be7728043c4c4faf83943f5314868a659c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3011}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3011 tcp \u00b7 port 3011 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223011\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3011, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3011}, \u0022attack_vector\u0022: \u0022port 3011 tcp \u00b7 port 3011 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223011\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223011\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12650416,"ip":"130.12.180.153","ts":"2026-07-17 09:33:09.000000","proto":"tcp","src_port":59655,"dst_port":3073,"service":null,"classification":"port_3073_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3073, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228e6d098cb884b7905ee300a6644e4772b542c11b\u0022, \u0022event_fingerprint\u0022: \u00225b176c9e6a6073aef323cc12b27e7f27f12f4e5c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00229e24319d21747054e403560fc1f6d607\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3073, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022904de42df980174421e49d7caec335c8ee562eb6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3073}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3073 tcp \u00b7 port 3073 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223073\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3073, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3073}, \u0022attack_vector\u0022: \u0022port 3073 tcp \u00b7 port 3073 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223073\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223073\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:3037\u0022, \u0022port:3073\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12650308,"ip":"130.12.180.153","ts":"2026-07-17 09:30:31.000000","proto":"tcp","src_port":64380,"dst_port":3037,"service":null,"classification":"port_3037_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3037, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d575f82077ec5ff505d970f23e3870292a4d440a\u0022, \u0022event_fingerprint\u0022: \u0022f0bd00bd121290e4529a589345d2d6033e053ae2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00222c2f1171e6151bac19200afa3979465a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3037, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aae3df8f1937a08f2fc89b3cf1ed6f167544b357\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3037}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3037 tcp \u00b7 port 3037 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223037\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3037, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3037}, \u0022attack_vector\u0022: \u0022port 3037 tcp \u00b7 port 3037 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223037\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223037\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12649622,"ip":"130.12.180.153","ts":"2026-07-17 09:13:02.000000","proto":"tcp","src_port":49162,"dst_port":3070,"service":null,"classification":"port_3070_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3070, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222767abd2f7d2c329b2bae5f8720945cc9df11d5f\u0022, \u0022event_fingerprint\u0022: \u0022fb8496754a8218b94d7cd88a673d4a92e6a40fa3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022d5437e095dda428927953413c04f3ce9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3070, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e818f65ae46bb359221a0f1cf1c3594e5ccde897\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3070}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3070 tcp \u00b7 port 3070 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223070\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3070, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3070}, \u0022attack_vector\u0022: \u0022port 3070 tcp \u00b7 port 3070 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223070\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223070\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12645107,"ip":"130.12.180.153","ts":"2026-07-17 07:24:54.000000","proto":"tcp","src_port":63229,"dst_port":3016,"service":null,"classification":"port_3016_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 202412, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3016, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002263588e70691eec8164bfa48b177bb38c247928c7\u0022, \u0022event_fingerprint\u0022: \u00220e403b069f20d90f5eeb8cd3286afbb799a83b5e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3016_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202412, \u0022org\u0022: \u0022Omegatech LTD\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022882ce16ce5be92a9ac56c137296fe13f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3016, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3016_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226ab32d396f6e4550419807886b56afa0c39d6f38\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3016}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3016 tcp \u00b7 port 3016 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223016\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3016_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3016_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3016, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3016}, \u0022attack_vector\u0022: \u0022port 3016 tcp \u00b7 port 3016 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223016\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223016\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19}],"total_events":66}