Détails IP 135.13.10.66

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Rafale d'authentification SSH · confiance 55%

Confiance 55 % — Score WAF 8

Comparaison ASN / FAI

ASN 8075 · 135.13.0.0/16 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 8 événements sur la période pour cette IP.

20.168.121.239 Sonde WinRM 17/06/2026 14:34 UTC
20.163.2.150 weblogic probe 17/06/2026 14:28 UTC
20.163.27.102 Sonde PPTP 17/06/2026 14:17 UTC
20.168.121.142 Sonde WebSphere 17/06/2026 14:15 UTC
20.14.78.26 Sonde port 17/06/2026 14:07 UTC
20.186.232.151 Sonde SSH 17/06/2026 14:06 UTC
20.168.7.149 Sonde port 17/06/2026 14:00 UTC
172.202.104.157 Scan vulnérabilités 17/06/2026 13:55 UTC

IPs apparentées

Même FAI Microsoft Corporation — corrélation indicative.

20.168.121.239 Sonde WinRM
20.163.2.150 weblogic probe
20.163.27.102 Sonde PPTP
20.168.121.142 Sonde WebSphere
20.14.78.26 Sonde port

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

8 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 21:38:03 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e205615af9152424239a8554f9f94d6c4887fc62", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "73dbc7a12ad50c22c3d4c0a934f788478682a118", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_telnet_probe", "telnet_emulated" ] }
16/06/2026 21:37:58 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce net_telnet_probe telnet_emulated telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a770e85d8d2f3eca157e5560efe197efd4bbb247", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89e4476e72d028514b73ab007a01eb5e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ddf6f50d9a9e8fed0a97736b39701377d680a3d7", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_telnet_probe", "telnet_emulated", "telnet_iac" ] }
16/06/2026 21:37:52 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c37e630fe780f22cd3f98b9d97769064efa8829a", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89e4476e72d028514b73ab007a01eb5e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea3bb5bb01832390f17604ed201d0411a8476859", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated", "telnet_iac" ] }
16/06/2026 21:37:45 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c37e630fe780f22cd3f98b9d97769064efa8829a", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89e4476e72d028514b73ab007a01eb5e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea3bb5bb01832390f17604ed201d0411a8476859", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated", "telnet_iac" ] }
16/06/2026 21:37:38 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c37e630fe780f22cd3f98b9d97769064efa8829a", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89e4476e72d028514b73ab007a01eb5e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea3bb5bb01832390f17604ed201d0411a8476859", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated", "telnet_iac" ] }
16/06/2026 21:37:29 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "375a927bb9bbd2eb33edd9b4264c0c0b9afc3f8d", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
16/06/2026 21:37:25 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "Microsoft Corporation", "service": "telnet", "app_proto": "telnet", "asn": 8075, "country": "IN", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c37e630fe780f22cd3f98b9d97769064efa8829a", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89e4476e72d028514b73ab007a01eb5e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea3bb5bb01832390f17604ed201d0411a8476859", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated", "telnet_iac" ] }
16/06/2026 21:04:01 UTC	TCP	2323	—	port attack port attack · port 2323 · (tentative d'exploit)	Élevée	Faible · 31
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2323 Chemin / cible — Pourquoi cette classification : Type « port_attack » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 31 Confiance : Confiance faible (0 %) — classification prudente Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Microsoft Corporation", "service": null, "app_proto": null, "asn": 8075, "country": "IN", "dst_port": 2323, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 31, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0a9b74886e486ba4acbe70b57f1ae28f3c04d198", "event_fingerprint": "8363142c9798ea7690238f7a7bcb010f142371b5", "classification_reason": "Type \u00ab port_attack \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 31 }, "named_classification_skipped": false, "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "IN", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "71648f0e2dfe7e5534c63b00dedfee48" }, "target_context": { "dst_port": 2323, "risk_score": 31 }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "16f1e15cef20bc4f4d42cda3c3588d71240f603d", "protocol_details": { "port": 2323 }, "attack_vector": "port attack \u00b7 port 2323 \u00b7 (tentative d'exploit)", "target_port_label": "2323", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_attack \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab port_attack \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 31\/100 (Faible) \u2014 MITRE TA0001", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 31 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 31, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 2323, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 2323 }, "attack_vector": "port attack \u00b7 port 2323 \u00b7 (tentative d'exploit)", "evidence_snippet": null, "target_port_label": "2323", "emulator_service": null, "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2323" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 72 }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

135.13.10.66

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence