{"ip":"146.148.127.18","exported_at":"2026-06-18T18:41:14+00:00","period_days":7,"metrics":{"events7d":58,"distinct_ports":1,"distinct_classifications":10,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":49,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":42,"behavior":0,"geo":40,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":52,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 42\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":42,"behavior":0,"geo":40,"protocol":30,"novelty":15,"risk_score":42},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0382"],"tags_summary":["pat-0382"],"attack_vector":"rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)","protocol_details":{"pop3_auth_fr":"Sonde protocole POP3 (USER\/PASS)","payload_preview":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5636","port":110,"service":"pop3","service_label_fr":"POP3"},"protocol_summary_fr":"Sonde protocole POP3 (USER\/PASS) \u00b7 Payload OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5636 \u00b7 POP3:110","evidence_snippet":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5636","target_port_label":"110 \u00b7 POP3","emulator_service":"pop3","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Rafale d\u0027authentification SSH \u00b7 confiance 49%","classification_reason_label_fr":"Rafale d\u0027authentification SSH \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5636"},"events":[{"id":9538403,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31526,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b91035ab300bb1c257fb87be22dc1836100b139\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":14},{"id":9538404,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31532,"dst_port":110,"service":"pop3","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 3.281373409411991, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b136edc38db83ad57b9c90e3e1a9bebf4c8023ca\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022146feb4208f989935534a353df60ec62\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e6f109176798254c40497eddfe2b82130606e1b\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":19},{"id":9538405,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31548,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.6644977792004623, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d7cf99dd7541d7bd514fc0d9a1b2d531\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa580366a7cbe6c34adf288a5126d96d893a6f89\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":14},{"id":9538406,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31550,"dst_port":110,"service":"pop3","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246bef58c2a08881249be93277bf3090a6a7f6ada\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":7},{"id":9538407,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31556,"dst_port":110,"service":"pop3","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.1414460711655217, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b136edc38db83ad57b9c90e3e1a9bebf4c8023ca\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cbaa0e25147458ba5f5f0e8603c4f19\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6ebe6b68ac93c4c76ff0a6ba95c312b62e2bfb2\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":20},{"id":9538408,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31558,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 3.584962500721156, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2993d6e4414a846683a71de5eb18653\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002263b0b68cba582f45642d56cbfa05d0c5ae80cf67\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":12},{"id":9538409,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31560,"dst_port":110,"service":"pop3","classification":"oracle_tns_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.127911658718781, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0520\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0520\u0022], \u0022matched_patterns\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Oracle TNS connect\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a4128a3063c2666570c280a6e2b7f6cc\u0022, \u0022path_pattern_hash\u0022: \u0022420e91c120535c16728a9791d446fafc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a54d5a1c2ee43864b18a645884d3e25fa4459efd\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0520\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0520\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":239},{"id":9538410,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31564,"dst_port":110,"service":"pop3","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.139167728978457, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224dd39330461cf3ca280bcc759d61ab53bea1d9cf\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294e606a42613d0ef095b8001a98bf6ed\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002265e11fe15496fe5b89191251935d92a003bc42d7\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9538411,"ip":"146.148.127.18","ts":"2026-06-18 02:46:22.000000","proto":"tcp","src_port":31568,"dst_port":110,"service":"pop3","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 4.814103037837824, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0382\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228d8a765d6e3ddf69c2473fc6fe207f91\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022809e2c0026d7079b475f1c8e1d4e3b835314e1c7\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 5636\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":51},{"id":9538400,"ip":"146.148.127.18","ts":"2026-06-18 02:46:21.000000","proto":"tcp","src_port":31490,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c2d8e4d9abc622803b6e39b98ef2b0304719c2c\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a177602bee0d039f41fbd6da5240e04\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a83a1636a54f9274129009ed123c16cb591d9f5\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":44},{"id":9538401,"ip":"146.148.127.18","ts":"2026-06-18 02:46:21.000000","proto":"tcp","src_port":31506,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 1.562219115128654, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c410cf23b3d85ec98026baf9f8231d24\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a66710b35c95baa8a3687875225bf263195e65b7\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":106},{"id":9538402,"ip":"146.148.127.18","ts":"2026-06-18 02:46:21.000000","proto":"tcp","src_port":31514,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.125814583693911, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227fe3d42af13cfefd76c023ac9ab24596\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\r\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022\\r\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\r\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222eca32dc8aac7f24ee5b10f14a66f3c3a8d56086\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":12},{"id":9538397,"ip":"146.148.127.18","ts":"2026-06-18 02:46:18.000000","proto":"tcp","src_port":31460,"dst_port":110,"service":"pop3","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 71, \u0022payload_entropy\u0022: 4.83906190787142, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0556\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0556\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9bcc621186ef441cc445f2b3dbd5f10\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022620ed84601441313cce112870e8e7314fa819d11\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0556\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0556\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":71},{"id":9538398,"ip":"146.148.127.18","ts":"2026-06-18 02:46:18.000000","proto":"tcp","src_port":31476,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 39, \u0022payload_entropy\u0022: 4.001972787964548, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224dd39330461cf3ca280bcc759d61ab53bea1d9cf\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221fe7a7a984ae33dc67b774d9ff25bded\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228d78734ad2795709e075ffaf5cc0c72d2dd1a64\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5eseeBN\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006eseeBN\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5eseeBN\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":39},{"id":9538399,"ip":"146.148.127.18","ts":"2026-06-18 02:46:18.000000","proto":"tcp","src_port":31480,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9538394,"ip":"146.148.127.18","ts":"2026-06-18 02:46:15.000000","proto":"tcp","src_port":31432,"dst_port":110,"service":"pop3","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.354527413223707, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022726ed118df54a678eb75d34ceb20ad5e79cd827a\u0022, \u0022event_fingerprint\u0022: \u00229220bac2adc3c594b4910f2407683c9d020ff636\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220efe38694fbb4cc2af819186b5e9ae9e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228961e485cb0c90823478f1c8591dced50c06a619\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":88},{"id":9538395,"ip":"146.148.127.18","ts":"2026-06-18 02:46:15.000000","proto":"tcp","src_port":31444,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.694309137239126, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002228417884bd8969fa1f47f0f107257c6f\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022request_sample\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002250002d855b66e189b708851491940bf38abf9210\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u00220:2\ufffd\ufffdg`2cn=yejuwwgfbmddiskmkihu\ufffdyejuwwgfbmddiskmkihu\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u00220:\\u0002\\u00042\ufffd\ufffdg`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=yejuwwgfbmddiskmkihu\ufffd\\u0014yejuwwgfbmddiskmkihu\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220:2\ufffd\ufffdg`2cn=yejuwwgfbmddiskmkihu\ufffdyejuwwgfbmddiskmkihu\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":60},{"id":9538393,"ip":"146.148.127.18","ts":"2026-06-18 02:46:12.000000","proto":"tcp","src_port":55962,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9538388,"ip":"146.148.127.18","ts":"2026-06-18 02:46:09.000000","proto":"tcp","src_port":55944,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ba0cba937b3e4ab417fce5fba4756814d5d31b4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220003c8efa0acdc0c6540f4bdb920f6bc\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cfe2ae4a0787b638c4d6681b90512950d876f990\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":19},{"id":9538389,"ip":"146.148.127.18","ts":"2026-06-18 02:46:09.000000","proto":"tcp","src_port":55954,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.327819531114783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad32b372bf9a8e846b24a957491de4e3\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022Not a command \\r\\n\u0022, \u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002277041c0cfd4439dc8cdda7fdbfde2571d0c5f879\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":16},{"id":9538384,"ip":"146.148.127.18","ts":"2026-06-18 02:46:06.000000","proto":"tcp","src_port":55918,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 32, \u0022payload_entropy\u0022: 3.4681390622295662, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ba0cba937b3e4ab417fce5fba4756814d5d31b4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224de7a7b57daf702dd91e6a9be4efdc81\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f2604141621614db41d08ebc46d24deeb1a68372\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdversionbind\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001b\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdversionbind\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":32},{"id":9538387,"ip":"146.148.127.18","ts":"2026-06-18 02:46:06.000000","proto":"tcp","src_port":55930,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ba0cba937b3e4ab417fce5fba4756814d5d31b4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de1b71cb0451c5e1ca4074f0c12ea2268a32e2d6\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9538382,"ip":"146.148.127.18","ts":"2026-06-18 02:45:59.000000","proto":"tcp","src_port":52880,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9538373,"ip":"146.148.127.18","ts":"2026-06-18 02:45:53.000000","proto":"tcp","src_port":43680,"dst_port":110,"service":"pop3","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 1481, \u0022payload_entropy\u0022: 7.733789781924833, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022449517742a599f946a186910e8d4c234ab9ecde4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022802f56b3f7a9111aa5ffe9b251cc3fba\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a;Tbc\u0026\ufffdC\ufffd\ufffdT\\u0007\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\\u0019\ufffdW\\u001c\\\\\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a;Tbc\u0026\ufffdC\ufffd\ufffdT\\u0007\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\\u0019\ufffdW\\u001c\\\\\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005E\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\f\\u0000\\n\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffdv\\u0018:\\u0002\\\\\ufffd\ufffd#\ufffdFG}\ufffd7\ufffd\ufffde\ufffd\ufffds\ufffdV\\tE\u01d9\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a;Tbc\u0026\ufffdC\ufffd\ufffdT\\u0007\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\\u0019\ufffdW\\u001c\\\\\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228fe7b87937e397c895fa0d474476ceba70d838fc\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a;Tbc\u0026\ufffdC\ufffd\ufffdT\\u0007\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\\u0019\ufffdW\\u001c\\\\\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd;Tbc\u0026\ufffdC\ufffd\ufffdT\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\ufffdW\\\\2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd#\ufffd\u0027\u003C\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a;Tbc\u0026\ufffdC\ufffd\ufffdT\\u0007\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\\u0019\ufffdW\\u001c\\\\\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd;Tbc\u0026\ufffdC\ufffd\ufffdT\ufffd\ufffd*[\ufffdY:R\ufffd \ufffdfl\ufffd\ufffdR9`v\ufffdGT\ufffd\ufffd6e\ufffd,R\ufffdQPG\ufffd\ufffdc\ufffdW\\\\2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd#\ufffd\u0027\u003C\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1481},{"id":9538374,"ip":"146.148.127.18","ts":"2026-06-18 02:45:53.000000","proto":"tcp","src_port":43682,"dst_port":110,"service":"pop3","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 121, \u0022payload_entropy\u0022: 3.1150230512705406, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6bf60ca632608bda6c12566a8ed3c30ad95fc71\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022de7aa004722a47b7532d77bd58324675\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022payload_snippet\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c4d77aecdbe6d7dae5a7029772683bdb665dd88c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?\u003E\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?\u003E\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":121},{"id":9538375,"ip":"146.148.127.18","ts":"2026-06-18 02:45:53.000000","proto":"tcp","src_port":43686,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 188, \u0022payload_entropy\u0022: 5.372025768369732, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bfc4ad35009ea1cb25593052c6d41e50b4e98163\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002237fc73add798c6789f65efefc8646e2e\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229ac512dc6ce1a3a1262256f5eed8243accab7269\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:110\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":188},{"id":9538376,"ip":"146.148.127.18","ts":"2026-06-18 02:45:53.000000","proto":"tcp","src_port":43694,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 5.8125, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220bc29430209a1501e4a4048f59725d53efecdcd6\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d2a715495830ef5fef13a0c71ff46bb5\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f8f3f907a389447b9b8559b80faafb949a9d0900\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022V\u003El$\ufffd2\ufffd8I\ufffd\ufffd$\ufffd\ufffdt\ufffd-\ufffdg\ufffd\ufffdB\ufffd{\ufffd(\ufffdN@}\ufffd\ufffdWh7\ufffdB1\ufffd\ufffd\ufffd\ufffdswHx\ufffd\ufffdcK\ufffd\ufffd(\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022V\u003El$\ufffd2\ufffd8I\\u0001\ufffd\ufffd$\ufffd\ufffd\\u001ct\ufffd-\ufffdg\ufffd\\b\ufffdB\ufffd{\ufffd(\\u000e\ufffdN@}\ufffd\\u0018\ufffdWh\\b7\\u0015\ufffdB1\ufffd\ufffd\ufffd\\u0000\ufffdswHx\ufffd\ufffdcK\ufffd\\u0002\ufffd(\ufffd\ufffd\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022V\u003El$\ufffd2\ufffd8I\ufffd\ufffd$\ufffd\ufffdt\ufffd-\ufffdg\ufffd\ufffdB\ufffd{\ufffd(\ufffdN@}\ufffd\ufffdWh7\ufffdB1\ufffd\ufffd\ufffd\ufffdswHx\ufffd\ufffdcK\ufffd\ufffd(\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":64},{"id":9538379,"ip":"146.148.127.18","ts":"2026-06-18 02:45:53.000000","proto":"tcp","src_port":43696,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9538372,"ip":"146.148.127.18","ts":"2026-06-18 02:45:50.000000","proto":"tcp","src_port":43676,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.327819531114783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220bc29430209a1501e4a4048f59725d53efecdcd6\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad32b372bf9a8e846b24a957491de4e3\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022Not a command \\r\\n\u0022, \u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002203b20b30460b77c53f5d4f61b55969f14b8872bc\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":16},{"id":9537697,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4690,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b91035ab300bb1c257fb87be22dc1836100b139\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":14},{"id":9537698,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4702,"dst_port":110,"service":"pop3","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 3.281373409411991, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b136edc38db83ad57b9c90e3e1a9bebf4c8023ca\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022146feb4208f989935534a353df60ec62\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e6f109176798254c40497eddfe2b82130606e1b\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":19},{"id":9537700,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4708,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.6644977792004623, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d7cf99dd7541d7bd514fc0d9a1b2d531\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa580366a7cbe6c34adf288a5126d96d893a6f89\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":14},{"id":9537701,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4722,"dst_port":110,"service":"pop3","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246bef58c2a08881249be93277bf3090a6a7f6ada\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":7},{"id":9537702,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4732,"dst_port":110,"service":"pop3","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.1414460711655217, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b136edc38db83ad57b9c90e3e1a9bebf4c8023ca\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cbaa0e25147458ba5f5f0e8603c4f19\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6ebe6b68ac93c4c76ff0a6ba95c312b62e2bfb2\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":20},{"id":9537703,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4746,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 3.584962500721156, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2993d6e4414a846683a71de5eb18653\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002263b0b68cba582f45642d56cbfa05d0c5ae80cf67\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":12},{"id":9537704,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4756,"dst_port":110,"service":"pop3","classification":"oracle_tns_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.127911658718781, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0520\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0520\u0022], \u0022matched_patterns\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Oracle TNS connect\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a4128a3063c2666570c280a6e2b7f6cc\u0022, \u0022path_pattern_hash\u0022: \u0022420e91c120535c16728a9791d446fafc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a54d5a1c2ee43864b18a645884d3e25fa4459efd\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0520\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0520\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":239},{"id":9537705,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4758,"dst_port":110,"service":"pop3","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.139167728978457, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224dd39330461cf3ca280bcc759d61ab53bea1d9cf\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294e606a42613d0ef095b8001a98bf6ed\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002265e11fe15496fe5b89191251935d92a003bc42d7\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9537706,"ip":"146.148.127.18","ts":"2026-06-18 02:32:26.000000","proto":"tcp","src_port":4768,"dst_port":110,"service":"pop3","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 4.814103037837824, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0382\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d6f6414328116f313debba46c677989\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225fa2515023dedb108a422b765885e4dc1f20be71\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7380\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":51},{"id":9537694,"ip":"146.148.127.18","ts":"2026-06-18 02:32:25.000000","proto":"tcp","src_port":4666,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c2d8e4d9abc622803b6e39b98ef2b0304719c2c\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a177602bee0d039f41fbd6da5240e04\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a83a1636a54f9274129009ed123c16cb591d9f5\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":44},{"id":9537695,"ip":"146.148.127.18","ts":"2026-06-18 02:32:25.000000","proto":"tcp","src_port":4680,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 1.562219115128654, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c410cf23b3d85ec98026baf9f8231d24\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a66710b35c95baa8a3687875225bf263195e65b7\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":106},{"id":9537696,"ip":"146.148.127.18","ts":"2026-06-18 02:32:25.000000","proto":"tcp","src_port":4682,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.125814583693911, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222eed46cb2794bfdd839e705847237bda\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d1c0828ed8bf9331d70758a033ad725e989de413\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022P\ufffd\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022P\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":12},{"id":9537689,"ip":"146.148.127.18","ts":"2026-06-18 02:32:22.000000","proto":"tcp","src_port":23048,"dst_port":110,"service":"pop3","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 71, \u0022payload_entropy\u0022: 4.83906190787142, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0556\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0556\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9bcc621186ef441cc445f2b3dbd5f10\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022620ed84601441313cce112870e8e7314fa819d11\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0556\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0556\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":71},{"id":9537690,"ip":"146.148.127.18","ts":"2026-06-18 02:32:22.000000","proto":"tcp","src_port":23062,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 39, \u0022payload_entropy\u0022: 4.033898749447537, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224dd39330461cf3ca280bcc759d61ab53bea1d9cf\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002219686e67de71b5e7bd515120b6fce979\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d6adf87e2fa51038cf1b619d0b0bc0ddafe9809b\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5C2dn3x\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006C2dn3x\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5C2dn3x\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":39},{"id":9537693,"ip":"146.148.127.18","ts":"2026-06-18 02:32:22.000000","proto":"tcp","src_port":23068,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9537686,"ip":"146.148.127.18","ts":"2026-06-18 02:32:19.000000","proto":"tcp","src_port":23018,"dst_port":110,"service":"pop3","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.354527413223707, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022726ed118df54a678eb75d34ceb20ad5e79cd827a\u0022, \u0022event_fingerprint\u0022: \u00229220bac2adc3c594b4910f2407683c9d020ff636\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220efe38694fbb4cc2af819186b5e9ae9e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228961e485cb0c90823478f1c8591dced50c06a619\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":88},{"id":9537687,"ip":"146.148.127.18","ts":"2026-06-18 02:32:19.000000","proto":"tcp","src_port":23034,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.806890595608518, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e847516bfa9f9b1d59e6946dab08dd70\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022request_sample\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e5db9442a1a9c47d0eb899c7b8ac2860089e636\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u00220:r\ufffdI`2cn=ikimtfpxljvbvapqqoxy\ufffdikimtfpxljvbvapqqoxy\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u00220:\\u0002\\u0004r\ufffdI\\u0014`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=ikimtfpxljvbvapqqoxy\ufffd\\u0014ikimtfpxljvbvapqqoxy\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220:r\ufffdI`2cn=ikimtfpxljvbvapqqoxy\ufffdikimtfpxljvbvapqqoxy\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":60},{"id":9537685,"ip":"146.148.127.18","ts":"2026-06-18 02:32:16.000000","proto":"tcp","src_port":23004,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d82a6eb2523f8353402da03eb253964f349b05c\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":9537677,"ip":"146.148.127.18","ts":"2026-06-18 02:32:13.000000","proto":"tcp","src_port":34564,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ba0cba937b3e4ab417fce5fba4756814d5d31b4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220003c8efa0acdc0c6540f4bdb920f6bc\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cfe2ae4a0787b638c4d6681b90512950d876f990\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":19},{"id":9537679,"ip":"146.148.127.18","ts":"2026-06-18 02:32:13.000000","proto":"tcp","src_port":34576,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.327819531114783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290a21a7c7c63b720da188cea6b1e41a0aed5b30f\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad32b372bf9a8e846b24a957491de4e3\u0022, \u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022Not a command \\r\\n\u0022, \u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002277041c0cfd4439dc8cdda7fdbfde2571d0c5f879\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":16},{"id":9537673,"ip":"146.148.127.18","ts":"2026-06-18 02:32:10.000000","proto":"tcp","src_port":34554,"dst_port":110,"service":"pop3","classification":"pop3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022bytes_in\u0022: 32, \u0022payload_entropy\u0022: 3.4681390622295662, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ba0cba937b3e4ab417fce5fba4756814d5d31b4\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fd9da7e902160a46f7f582ddd7810e33\u0022, \u0022path_pattern_hash\u0022: \u002244d5bece51c65fa33908cf3d76b6745a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e1156bbf19ccead73ef0078b1b17713fbcf8a376\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022evidence_snippet\u0022: \u0022T\ufffdversionbind\u0022, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022payload_preview\u0022: \u0022\\u0000\\u001eT\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022T\ufffdversionbind\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":32}],"total_events":58}