Détails IP 134.209.235.211

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 8

Comparaison ASN / FAI

ASN 14061 · 134.209.224.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 20 événements sur la période pour cette IP.

143.198.238.87 Sonde port 20/06/2026 23:10 UTC
164.92.82.91 Sonde port 20/06/2026 23:10 UTC
164.92.114.247 Sonde port 20/06/2026 23:09 UTC
143.198.150.150 rocketmq probe 20/06/2026 23:09 UTC
147.182.202.179 Sonde port 20/06/2026 23:08 UTC
64.225.74.178 Sonde port 20/06/2026 23:07 UTC
147.182.247.10 Sonde port 20/06/2026 23:07 UTC
137.184.13.100 Sonde port 20/06/2026 23:04 UTC

IPs apparentées

Même FAI DigitalOcean, LLC — corrélation indicative.

143.198.238.87 Sonde port
164.92.82.91 Sonde port
164.92.114.247 Sonde port
143.198.150.150 rocketmq probe
147.182.202.179 Sonde port

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

SAP ICM TCP 17 IMAP TCP 3

SAP ICM

17

IMAP

3

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

20 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde RTSP rtsp probe · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload OPTIONS / RTSP/1.0 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RTSP protocol HTTP OPTIONS method User-Agent — Règles WAF — Payload (extrait) OPTIONS / RTSP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 22, "payload_entropy": 3.73215889136457, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0382" ], "kb_rule_ids": [ "pat-0382" ], "matched_patterns": [ "pat-0382", "pat-0420" ], "matched_pattern_names": [ "RTSP protocol", "HTTP OPTIONS method" ], "pattern_ids": [ "pat-0382", "pat-0420" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b9373ea592d67ff8b93af91f8352abc2", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "OPTIONS \/ RTSP\/1.0\r\n\r\n", "request_sample": "OPTIONS \/ RTSP\/1.0\r\n\r\n", "payload_snippet": "OPTIONS \/ RTSP\/1.0", "evidence": { "request_sample": "OPTIONS \/ RTSP\/1.0\r\n\r\n", "payload_snippet": "OPTIONS \/ RTSP\/1.0", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "01163a2ec31937b2b404099eaf2a861275dc0b44", "protocol_details": { "payload_preview": "OPTIONS \/ RTSP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "OPTIONS \/ RTSP\/1.0", "attack_vector": "rtsp probe \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0382" ], "tags_summary_labels_fr": [ "pat-0382" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "OPTIONS \/ RTSP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "rtsp probe \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "OPTIONS \/ RTSP\/1.0", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags mongodb_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload �(r��\| Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0532 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �(r��\| Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 44, "payload_entropy": 1.9235205817738175, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cee2e7090a924520ef170e9475b0890d66b33fac", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0532" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2a177602bee0d039f41fbd6da5240e04", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "684c6b011ab20596b4f899f89f460db5d523b90e", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd\|", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0532" ], "tags_summary_labels_fr": [ "pat-0532" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd\|", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload versionbind Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) versionbind Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 32, "payload_entropy": 3.309196364505181, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f373b5f5cafd9af5e2c2fd8ac069ea6c", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "request_sample": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "payload_snippet": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "evidence": { "request_sample": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "payload_snippet": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8fc11ccb517f28aedfe1ee77209a08d538f8dae", "protocol_details": { "payload_preview": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "versionbind", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "versionbind", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde OPC-UA opcua probe · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload HELP Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0626 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) OPC UA HEL User-Agent — Règles WAF — Payload (extrait) HELP Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 6, "payload_entropy": 2.584962500721156, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0626" ], "kb_rule_ids": [ "pat-0626" ], "matched_patterns": [ "pat-0626" ], "matched_pattern_names": [ "OPC UA HEL" ], "pattern_ids": [ "pat-0626" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 47, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fb323af48498fcb3974ce6b1881c8797", "path_pattern_hash": "9665a326f7d8f70f1661dab78807b951" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 35 }, "payload_preview": "HELP\r\n", "request_sample": "HELP\r\n", "payload_snippet": "HELP", "evidence": { "request_sample": "HELP\r\n", "payload_snippet": "HELP", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a2b6edda4bdf1d11238d10164f3d123000dbd35e", "protocol_details": { "payload_preview": "HELP", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "HELP", "attack_vector": "opcua probe \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0626" ], "tags_summary_labels_fr": [ "pat-0626" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HELP", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "opcua probe \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "HELP", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde port 8000/TCP port 8000 tcp · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 41
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Preuve honeypot — Sonde port 8000/TCP Connexion détectée sur le port 8000 (TCP) du capteur simulé. Service SAP ICM Payload SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Pourquoi cette classification : Type « port_8000_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 41 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 88, "payload_entropy": 4.71356415999113, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15 }, "risk_score": 41, "tag_count": 4, "anomaly_count": 0, "campaign_key": "99bbaeb8ebb34740707ed444a26235ebf7259fae", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 41 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "sap-icm", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "80ab07029d5f302cd55bfd003a3a37f1", "path_pattern_hash": "97eef1c1cc84f4beda2cd4940c4c8e79" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 41 }, "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "106b0d1c41b7a564e91d698689e41222c8927356", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "attack_vector": "port 8000 tcp \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 41 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 41, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "port 8000 tcp \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde port 8000/TCP port 8000 tcp · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 41
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 16ee84a07b55074c Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Preuve honeypot — Sonde port 8000/TCP Connexion détectée sur le port 8000 (TCP) du capteur simulé. Service SAP ICM Payload ieU��random1random2random3random4 / 9�0 ,* Pourquoi cette classification : Type « port_8000_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 41 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ieU��random1random2random3random4/ 9�0 ,* Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 110, "payload_entropy": 4.269606220838881, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 41, "tag_count": 4, "anomaly_count": 0, "campaign_key": "99bbaeb8ebb34740707ed444a26235ebf7259fae", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 41 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "sap-icm", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8", "path_pattern_hash": "97eef1c1cc84f4beda2cd4940c4c8e79", "ja3": "16ee84a07b55074cb2751329bf1c8811", "ja4": "011b865e5f91ae5e1836c88110724dcb", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811", "tls_ja3": "771,47-10-19-57-4-255,13,,", "tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb", "tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 41 }, "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f30f00d80a423717ce07b13d1e349c5f62524e48", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,", "attack_vector": "port 8000 tcp \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_8000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 41 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 41, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "port 8000 tcp \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload qj�n0�k�� ^0\�P��NM�0��0 krbtgtNM�19700101000000Z��٨0 Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) qj�n0�k�� ^0\�P��NM�0��0krbtgtNM�19700101000000Z��٨0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 117, "payload_entropy": 5.017384795565958, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cadb0423aaf435668f733a341f057883", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "request_sample": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "payload_snippet": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "evidence": { "request_sample": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "payload_snippet": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4614e02e3e769b9cc3e4d9dfd41743f5413efd0", "protocol_details": { "payload_preview": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "qj\ufffdn0\ufffdk\ufffd\ufffd\n\ufffd\ufffd^0\\\ufffdP\ufffd\ufffdNM\ufffd0\ufffd\ufffd0krbtgtNM\ufffd19700101000000Z\ufffd\ufffd\u06680", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000qj\ufffdn0\ufffdk\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\ufffd^0\\\ufffd\u0007\u0003\u0005\u0000P\ufffd\u0000\u0010\ufffd\u0004\u001b\u0002NM\ufffd\u00170\u0015\ufffd\u0003\u0002\u0001\u0000\ufffd\u000e0\f\u001b\u0006krbtgt\u001b\u0002NM\ufffd\u0011\u0018\u000f19700101000000Z\ufffd\u0006\u0002\u0004\u001f\u001e\ufffd\u0668\u00170\u0015\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0010\u0002\u0001\u0017\u0002\u0001\u0001\u0002\u0001\u0003\u0002\u0001\u0002", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "qj\ufffdn0\ufffdk\ufffd\ufffd\n\ufffd\ufffd^0\\\ufffdP\ufffd\ufffdNM\ufffd0\ufffd\ufffd0krbtgtNM\ufffd19700101000000Z\ufffd\ufffd\u06680", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Requête brute (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 168, "payload_entropy": 4.517824025292926, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c8b954e7bc1bc076c8d1bd64820e67f", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "evidence": { "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa9334541d020518a4e247271684bcc3f7ac9c35", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:31 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde HTTP smuggling http smuggling probe · via SAP ICM:8000 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur SAP-ICM WAF — Recommandation Investiguer Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL SIP protocol HTTP OPTIONS method SIP OPTIONS User-Agent — Règles WAF — Payload (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Requête brute (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 223, "payload_entropy": 5.197167462839961, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0384", "pat-0420", "pat-0535" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "SIP protocol", "HTTP OPTIONS method", "SIP OPTIONS" ], "pattern_ids": [ "pat-0842", "pat-0384", "pat-0420", "pat-0535" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0712a7f81d9d033f2caa8a8a90bbc4a8", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 52 }, "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 ", "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "evidence": { "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "109de99257564e6607329f36276a3bda1e6cb9e8", "protocol_details": { "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "attack_vector": "http smuggling probe \u00b7 via SAP ICM:8000 \u00b7 (tentative d'exploit)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SAP ICM", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "http smuggling probe \u00b7 via SAP ICM:8000 \u00b7 (tentative d'exploit)", "evidence_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 3 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 4, "payload_entropy": 1, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 34, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbe37c4edc280647f81334285648dbe8e5e7eff5", "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload GET / HTTP/1.0 Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 18, "payload_entropy": 3.461320140211008, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 48, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 0 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ec63b40bcbc26b71deda762dfd844f0", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.0\r\n\r\n", "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "evidence": { "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea979d640744a5f527eb4ae6b7e6903de0749551", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "GET \/ HTTP\/1.0", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.0", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload l Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6218010d0d7fdb9898fe7dbf41ce381ca6acd85", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "l", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "l", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 53, "payload_entropy": 4.704058897836964, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08bd34a37b11f5c307f84418e0c2a579", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "evidence": { "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e894ac97b9d4c88557191205920099c3bfbb4fb", "protocol_details": { "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 48, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload � google.comPGET / HTTP/1.0 Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0567 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � google.comPGET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 41, "payload_entropy": 4.503416638553355, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0567" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d345b721f5d98a2b04db9dadef49f152", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "evidence": { "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "068ebbaec624413b204174f6475b99ef92f92eee", "protocol_details": { "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "\ufffd\ngoogle.comPGET \/ HTTP\/1.0", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0567" ], "tags_summary_labels_fr": [ "pat-0567" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ngoogle.comPGET \/ HTTP\/1.0", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload socks4_greeting Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload root Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) root Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 13, "payload_entropy": 2.7773627950641693, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cff6a4747fcb525bc1a51c1020210f5d3a8f4ca3", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "service_name": "sap-icm", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2167ce4c1a0201b2283cc57c40a74bac", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 45 }, "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "evidence": { "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f639d1f74be47bbef3b37adc71ea7584e018fb05", "protocol_details": { "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "root", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "root", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload", "socks4_greeting" ], "asn_dc_heuristic": true }
18/06/2026 21:08:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde HTTP Sonde HTTP · via SAP ICM:8000 · (sonde / probe)	Élevée	Moyen · 41
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload OPTIONS / HTTP/1.0 Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 41 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0420 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP OPTIONS method User-Agent — Règles WAF — Payload (extrait) OPTIONS / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 22, "payload_entropy": 3.697845823084412, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 41, "tag_count": 3, "anomaly_count": 0, "campaign_key": "04ada829cf80285c4a0f515b998f0122f0ce49cc", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0420" ], "kb_rule_ids": [ "pat-0420" ], "matched_patterns": [ "pat-0420" ], "matched_pattern_names": [ "HTTP OPTIONS method" ], "pattern_ids": [ "pat-0420" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 41 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "76336738f875e41be8e6c44e3126e069", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 41 }, "payload_preview": "OPTIONS \/ HTTP\/1.0\r\n\r\n", "request_sample": "OPTIONS \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "OPTIONS \/ HTTP\/1.0", "evidence": { "request_sample": "OPTIONS \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "OPTIONS \/ HTTP\/1.0", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c684d50abbdf03db9f0e819b77a22eda379e9c33", "protocol_details": { "payload_preview": "OPTIONS \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "OPTIONS \/ HTTP\/1.0", "attack_vector": "Sonde HTTP \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 41 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 41, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "pat-0420" ], "tags_summary_labels_fr": [ "pat-0420" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "OPTIONS \/ HTTP\/1.0", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde HTTP \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "OPTIONS \/ HTTP\/1.0", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ], "asn_dc_heuristic": true }
18/06/2026 21:08:26 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 14061, "country": "DE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "169688a7c75139fb8054867175c5f04b25d76e63", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca654241b810f28ce6ae2b3a92f257f03a362f31", "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_web_probe", "sap_icm_emulated" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
18/06/2026 17:19:09 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 4, "payload_entropy": 1, "port_category": "well_known", "org": "DigitalOcean, LLC", "service": "imap", "app_proto": "imap", "asn": 14061, "country": "DE", "dst_port": 143, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5dbb86240b20f1f0274445eb39af610c11d0b46e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 38 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d375072656087a7a7fcb3096c3ab066e785fca3", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe" ], "asn_dc_heuristic": true }
18/06/2026 17:19:08 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags http_get_probe imap_emulated net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Payload GET / HTTP/1.0 Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 18, "payload_entropy": 3.461320140211008, "port_category": "well_known", "org": "DigitalOcean, LLC", "service": "imap", "app_proto": "imap", "asn": 14061, "country": "DE", "dst_port": 143, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "86f5a1ee6ab351de325af9d69055e8dae0803165", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ec63b40bcbc26b71deda762dfd844f0", "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.0\r\n\r\n", "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "evidence": { "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bef688a7e85133150bca4f90e880a6e767c90189", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "GET \/ HTTP\/1.0", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "evidence_snippet": "GET \/ HTTP\/1.0", "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "GET \/ HTTP\/1.0", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.0", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "imap_emulated", "net_pop3_probe" ], "asn_dc_heuristic": true }
18/06/2026 17:19:04 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "DigitalOcean, LLC", "service": "imap", "app_proto": "imap", "asn": 14061, "country": "DE", "dst_port": 143, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5dbb86240b20f1f0274445eb39af610c11d0b46e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da35f1a884bb164b5c2101de8bd642a51fba2296", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe" ], "asn_dc_heuristic": true }

134.209.235.211

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence