19/06/2026 01:15:55 UTC
TCP
8000 · SAP ICM
Sonde SAP ICM HTTP
Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SAP-ICM
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mongodb_hello_probe
net_sap_web_probe
sap_icm_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8000
Chemin / cible
—
Service
SAP ICM
Payload
GET / HTTP/1.1 Host: 62.3.50.33:8000 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0460
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8000
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8000 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c",
"emulator_response_len": 141,
"bytes_in": 218,
"payload_entropy": 5.094935618782794,
"port_category": "registered",
"org": "Google LLC",
"service": "sap-icm",
"app_proto": "sap-icm",
"asn": 396982,
"country": "US",
"dst_port": 8000,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 48,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 25
},
"risk_score": 45,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "222f5e40fde6206fafd6655b5db2271bda3a064a",
"event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0460"
],
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 25,
"risk_score": 45
},
"service_name": "sap-icm",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4ba6068961c4d6c9a74ce40214779d75",
"path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc"
},
"target_context": {
"dst_port": 8000,
"service": "sap-icm",
"service_name": "sap-icm",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4f1473139c03f0f696dcf81a26c7c5841b44853",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 8000,
"service": "sap-icm",
"service_label_fr": "SAP ICM"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)",
"target_port_label": "8000 \u00b7 SAP ICM",
"emulator_service": "sap-icm",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 25,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "sap-icm",
"service_label_fr": "SAP ICM",
"dst_port": 8000,
"protocol_emulated": true,
"tags_summary": [
"pat-0460"
],
"tags_summary_labels_fr": [
"pat-0460"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sap-icm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 8000,
"service": "sap-icm",
"service_label_fr": "SAP ICM"
},
"attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "8000 \u00b7 SAP ICM",
"emulator_service": "sap-icm",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sap_icm",
"service_banner": "honeypot-sap-icm",
"service_os": "linux",
"dst_port": "8000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mongodb_hello_probe",
"net_sap_web_probe",
"sap_icm_emulated",
"sap_icm_payload"
],
"asn_dc_heuristic": true
}
18/06/2026 19:34:30 UTC
TCP
2525 · SMTP ALT
Sonde MongoDB
mongodb probe · via SMTP ALT:2525 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMTP-ALT
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
2525
Chemin / cible
—
Service
SMTP ALT
Payload
GET / HTTP/1.1 Host: 62.3.50.33:2525 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Pourquoi cette classification : Type « mongodb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0460
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2525
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2525 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "323230206d61696c2e6578616d706c652e636f6d2045534d545020506f737466697820285562756e7475290d0a",
"emulator_response_len": 45,
"bytes_in": 218,
"payload_entropy": 5.08801004536845,
"port_category": "registered",
"org": "Google LLC",
"service": "smtp-alt",
"app_proto": "smtp-alt",
"asn": 396982,
"country": "US",
"dst_port": 2525,
"risk_waf": 8,
"risk_classification": 55,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e8e7c944ccf75dc93ffe2b1fdeff398eae4aeafe",
"event_fingerprint": "65a6ea2314380fd134ba607e79e5ea4e3cb076b3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0460"
],
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"service_name": "smtp-alt",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8d8651e037c0cc1a6667f0cbde4b5ef3",
"path_pattern_hash": "64fbc3aee24db4a0fc1ea9e5fbb0e29c"
},
"target_context": {
"dst_port": 2525,
"service": "smtp-alt",
"service_name": "smtp-alt",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0966d891454d3690f915614908e02ffc69933937",
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 2525,
"service": "smtp-alt",
"service_label_fr": "SMTP ALT"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "mongodb probe \u00b7 via SMTP ALT:2525 \u00b7 (sonde \/ probe)",
"target_port_label": "2525 \u00b7 SMTP ALT",
"emulator_service": "smtp-alt",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "smtp-alt",
"service_label_fr": "SMTP ALT",
"dst_port": 2525,
"protocol_emulated": true,
"tags_summary": [
"pat-0460"
],
"tags_summary_labels_fr": [
"pat-0460"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smtp-alt",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 2525,
"service": "smtp-alt",
"service_label_fr": "SMTP ALT"
},
"attack_vector": "mongodb probe \u00b7 via SMTP ALT:2525 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2525\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "2525 \u00b7 SMTP ALT",
"emulator_service": "smtp-alt",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smtp_alt",
"service_banner": "honeypot-smtp-alt",
"service_os": "linux",
"dst_port": "2525"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mongodb_hello_probe",
"net_mongodb_probe"
],
"asn_dc_heuristic": true
}
18/06/2026 15:13:11 UTC
TCP
3306 · MYSQL
Sonde MySQL
mysql probe · via MYSQL:3306 · (sonde / probe)
Élevée
Moyen · 48
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
MYSQL
WAF
—
Recommandation
Surveiller
Tags
mysql_emulated
mysql_handshake
net_mysql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3306
Chemin / cible
—
Pourquoi cette classification : Poignée de main MySQL · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
Db Mysql Auth
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400",
"emulator_response_len": 60,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": "mysql",
"app_proto": "mysql",
"asn": 396982,
"country": "US",
"dst_port": 3306,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bef1cad8d681313ebc2fad5890e78941ae733f15",
"event_fingerprint": "7e64d2ea7efbfd080eb620b69c685e7503a67a61",
"classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 87,
"precision_signals": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"kb_rule_ids": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "mysql",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "f92b97805e8111d6d69ad0f096b65c87"
},
"target_context": {
"dst_port": 3306,
"service": "mysql",
"service_name": "mysql",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51c4f619223cf8f2e8fe95a8f161b5010a39cc38",
"protocol_details": {
"mysql_auth_fr": "Handshake MySQL (auth)",
"port": 3306,
"service": "mysql",
"service_label_fr": "MYSQL"
},
"attack_vector": "mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)",
"target_port_label": "3306 \u00b7 MYSQL",
"emulator_service": "mysql",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"classification_reason_label_fr": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "mysql",
"service_label_fr": "MYSQL",
"dst_port": 3306,
"protocol_emulated": true,
"tags_summary": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Db Mysql Auth",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "8.0.32-MySQL",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mysql_auth_fr": "Handshake MySQL (auth)",
"port": 3306,
"service": "mysql",
"service_label_fr": "MYSQL"
},
"attack_vector": "mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "3306 \u00b7 MYSQL",
"emulator_service": "mysql",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mysql",
"service_banner": "8.0.32-MySQL",
"service_os": "linux",
"dst_port": "3306"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"mysql_emulated",
"mysql_handshake",
"net_mysql_probe"
],
"asn_dc_heuristic": true
}
16/06/2026 18:59:37 UTC
TCP
139 · SMB
Sonde port 139/TCP
port 139 tcp · via SMB:139 · (sonde / probe)
Élevée
Moyen · 42
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
smb_negotiate
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Preuve honeypot — Sonde port 139/TCP
Connexion détectée sur le port 139 (TCP) du capteur simulé.
Service
SMB
Payload
�����SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,�
Pourquoi cette classification : Type « port_139_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 42
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1 Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
Sybase TDS login
ET H.323 setup
NFS RPC mount
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,
Requête brute (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,������������� ��������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 176,
"payload_entropy": 2.3495313504805617,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "568c1e362fa22aa3b71f895c46b0f5eaf32d68a3",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"Sybase TDS login",
"ET H.323 setup",
"NFS RPC mount",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "smb",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac70ccc77bd07ff099f4a7bad8ac3311",
"path_pattern_hash": "c28c33b24c7c0c9eb2f5d7bb82e1cfc1"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 42
},
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0001\u0000 \u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16f5da24cb87c03447997c9426ccdcc8a93d6a02",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated",
"smb_negotiate"
],
"asn_dc_heuristic": true
}
16/06/2026 18:59:37 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 21
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 21
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 21,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"named_classification_skipped": false,
"service_name": "smb",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 21
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56afc68ddb732aedcb4c436a0ff973c6b1ae80fb",
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 21,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
16/06/2026 18:59:36 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 32
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Service
SMB
Payload
���1�SMBr�����Eh���������������}��������NT LM 0.12���
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
1�SMBr�����Eh���������������}��������NT LM 0.12��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 53,
"payload_entropy": 3.037242382532767,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 32,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"service_name": "smb",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f6e3339c8f446c4744156a63cec7085a",
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16861df5cf87319acc744a826f7ee0845639dbec",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
15/06/2026 02:33:55 UTC
TCP
5985 · WINRM
Sonde WinRM
winrm probe · via WINRM:5985 · (sonde / probe)
Élevée
Faible · 38
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
WINRM
WAF
—
Recommandation
Surveiller
Tags
mongodb_auth
net_winrm_probe
winrm_emulated
winrm_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5985
Chemin / cible
—
Service
WINRM
Payload
POST /wsman HTTP/1.1 Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 198 Host: 62.3.50.33:5985 WSMANIDENTIF
Pourquoi cette classification : Type « winrm_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Faible
· 38
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0526
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
CRS 921130 duplicate CL
CRS 941130
LFI Double-dot bypass
WinRM WS-Man
User-Agent
—
Règles WAF
—
Payload (extrait)
POST /wsman HTTP/1.1
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 198
Host: 62.3.50.33:5985
WSMANIDENTIF
Requête brute (extrait)
POST /wsman HTTP/1.1 Content-Type: application/soap+xml;charset=UTF-8 Content-Length: 198 Host: 62.3.50.33:5985 WSMANIDENTIFY: unauthenticated <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/ws
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303120556e617574686f72697a65640d0a5757572d41757468656e7469636174653a204e65676f74696174650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a",
"emulator_response_len": 77,
"bytes_in": 348,
"payload_entropy": 5.375488925768778,
"port_category": "registered",
"org": "Google LLC",
"service": "winrm",
"app_proto": "winrm",
"asn": 396982,
"country": "US",
"dst_port": 5985,
"risk_waf": 8,
"risk_classification": 62,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "db84ed8a6e7eebc2b9cb5e88fa3710531a62b15c",
"event_fingerprint": "69c3741eda286def0bdd9c17863648ff58bc3b2f",
"classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 85,
"precision_signals": [
"pat-0526",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0526",
"INT-upstream"
],
"matched_patterns": [
"pat-0842",
"pat-0284",
"pat-0103",
"pat-0526"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"CRS 941130",
"LFI Double-dot bypass",
"WinRM WS-Man"
],
"pattern_ids": [
"pat-0842",
"pat-0284",
"pat-0103",
"pat-0526"
],
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"service_name": "winrm",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3c6fc626390ea9cbe4696acf462ab72c",
"path_pattern_hash": "a98d2328dfdc853a4ac94ea7611b67e5"
},
"target_context": {
"dst_port": 5985,
"service": "winrm",
"service_name": "winrm",
"risk_score": 38
},
"payload_preview": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"request_sample": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIFY: unauthenticated\r\n\r\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap-envelope\" xmlns:wsmid=\"http:\/\/schemas.dmtf.org\/wbem\/ws",
"payload_snippet": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"evidence": {
"request_sample": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIFY: unauthenticated\r\n\r\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap-envelope\" xmlns:wsmid=\"http:\/\/schemas.dmtf.org\/wbem\/ws",
"payload_snippet": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "81ccc284be918583bb516c36d510c3b36a2a6335",
"protocol_details": {
"payload_preview": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"port": 5985,
"service": "winrm",
"service_label_fr": "WINRM"
},
"evidence_snippet": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)",
"target_port_label": "5985 \u00b7 WINRM",
"emulator_service": "winrm",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "winrm",
"service_label_fr": "WINRM",
"dst_port": 5985,
"protocol_emulated": true,
"tags_summary": [
"pat-0526",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0526",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-winrm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"port": 5985,
"service": "winrm",
"service_label_fr": "WINRM"
},
"attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)",
"evidence_snippet": "POST \/wsman HTTP\/1.1\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nContent-Length: 198\r\nHost: 62.3.50.33:5985\r\nWSMANIDENTIF",
"target_port_label": "5985 \u00b7 WINRM",
"emulator_service": "winrm",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "winrm",
"service_banner": "honeypot-winrm",
"service_os": "linux",
"dst_port": "5985"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_auth",
"net_winrm_probe",
"winrm_emulated",
"winrm_payload",
"winrm_probe"
],
"asn_dc_heuristic": true
}
08/06/2026 01:29:47 UTC
TCP
82 · HTTP
Scanner web
web scanner · via HTTP:82 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
82
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:82
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-co
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "b00c56701bd04898edc8a488547d32d613363649",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 216,
"payload_entropy": 5.084664271113836,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 82,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "97692b908c9355cad520af68c1eafa955657ddc7",
"event_fingerprint": "d4e47aa681382d5bd046800841e7d1bacd808362",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "d21c352cba4fecb9031b059a4c535472",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 82,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-co",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-co",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-co",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0fcb2901fb15f994f39820fc0b0604961f3888a0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-co",
"attack_vector": "web scanner \u00b7 via HTTP:82 \u00b7 (sonde \/ probe)",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 82,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:82 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-co",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
07/06/2026 00:54:39 UTC
TCP
30083 · HTTP
Scanner web
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
MITRE
T1595
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
30083
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30083
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:30083 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "a6375a10355da13185717979d33252ecaee5af2a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 219,
"payload_entropy": 5.097262592107306,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 30083,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "1c9848ff95c455fb11c12423d6209864cc391753",
"event_fingerprint": "e1ee571527cfdf4b1d58672c085ef23a0b9a6c8e",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "7637ad5054134a21c2aa2c2b38dd8184",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 30083,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "456a5c4e0f4e40e7fb78354b3b872f06c1361278",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
06/06/2026 03:47:05 UTC
TCP
7547
Scanner web
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7547
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.0
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks
Requête brute (extrait)
GET / HTTP/1.0 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept: */*
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7547,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 45,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "78d1da18394bc980657ea1daa7172841e0efa200",
"event_fingerprint": "920ca7087263930f6563f658c1941ca4e109e916",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "408dddfd3211eda1263e9161f0d91c4d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7547,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a2af83c5e7dfb8a6653f04751bf296d4d9711207",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
29/05/2026 02:42:51 UTC
TCP
20122
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 02:42:51 UTC
TCP
20122
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
28/05/2026 01:23:14 UTC
TCP
4786
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 21:43:18 UTC
TCP
8991
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8991
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "d93662795a1c41dae81d7b36826484532c880b2d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.107572717416572,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "bdb4962a8542e511c7107c20326274ed8f621e8b",
"event_fingerprint": "f2e00b2f7419cb757e57a2fe3aa03e24a137afe3",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
26/05/2026 10:36:20 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 74
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 10:36:20 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 74
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 10:36:20 UTC
TCP
3389
rdp attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 10:36:19 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 79
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 01:40:21 UTC
TCP
4444
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 01:40:21 UTC
TCP
4444
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 20:25:49 UTC
TCP
8008
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8008
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.100647144002227,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "86a5417681c4d4126bc0c7d37d55ee48adb754e9",
"event_fingerprint": "bb9133595103ef077b7f4a33ee4e8414f3b782a1",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
24/05/2026 19:11:04 UTC
TCP
20256
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 23:41:46 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 79
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 23:41:46 UTC
TCP
3389
rdp attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 23:41:45 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 79
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 23:41:45 UTC
TCP
3389
Sonde RDP
Élevée
Élevé · 79
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1