19/06/2026 13:36:09 UTC
TCP
8147 · HTTP
Scanner web
web scanner · via HTTP:8147 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8147
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8147
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8147 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "23773dda48ce7a9ad60763139fac30af64bfd894",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.116747029343178,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8147,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "0595c329f954c7fd7dae139c85456b42fda7e5d9",
"event_fingerprint": "0f4e8c4b246971fd662c278448dba6824c985d1c",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "a5cd4089ea6c59d7adc1083f62b6cc65",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8147,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7a0c7b027a838d26ce346a4488409188c7360014",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 8147,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "web scanner \u00b7 via HTTP:8147 \u00b7 (sonde \/ probe)",
"target_port_label": "8147 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8147,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 8147,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8147 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8147\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "8147 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8147"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
18/06/2026 07:37:20 UTC
TCP
210
—
Sonde port
Sonde port · port 210 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
210
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 210,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "321f3156b7521e51763e462d039dfe3422ef83d8",
"event_fingerprint": "5455bb766ff7669f966b2dd177292fc511c36cfe",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 210,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3f2c28eff6934646e207ae7b885924b45ee5abf0",
"protocol_details": {
"port": 210
},
"attack_vector": "Sonde port \u00b7 port 210 \u00b7 (sonde \/ probe)",
"target_port_label": "210",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 210,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 210
},
"attack_vector": "Sonde port \u00b7 port 210 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "210",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "210"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
16/06/2026 14:19:02 UTC
TCP
13468 · HTTP
Scanner web
web scanner · via HTTP:13468 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
13468
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.0
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks
Requête brute (extrait)
GET / HTTP/1.0 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept: */*
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 13468,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "51e729240b0b3d1195073c2a944140830735b26f",
"event_fingerprint": "e95245474ba6eec2d101644baa68b9f2d6f4eb76",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "408dddfd3211eda1263e9161f0d91c4d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 13468,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "532e4623dda0abbb5555a5708ead3a3f11925830",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 13468,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"attack_vector": "web scanner \u00b7 via HTTP:13468 \u00b7 (sonde \/ probe)",
"target_port_label": "13468 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 13468,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 13468,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:13468 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"target_port_label": "13468 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "13468"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
15/06/2026 13:51:17 UTC
TCP
5322 · SSH
Scan vulnérabilités
scanner vuln · via SSH:5322 · (sonde / probe)
Élevée
Moyen · 48
Détails
Voir
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
SSH SSH-2.0-ZGrab ZGrab SSH Survey
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5322
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-ZGrab ZGrab SSH Survey
Payload
SSH-2.0-ZGrab ZGrab SSH Survey
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Signaux
pat-0594
pat-0458
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-ZGrab ZGrab SSH Survey
Meta JSON brut
{
"bytes_in": 32,
"payload_entropy": 3.965018266288633,
"port_category": "registered",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "US",
"dst_port": 5322,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a1ed349d6113202006670d8faedfea308a1bc2cb",
"event_fingerprint": "05153ba3ac8e7d8cf9b23378192fe1cdf7b57dea",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 108,
"precision_signals": [
"pat-0594",
"pat-0458"
],
"kb_rule_ids": [
"pat-0594",
"pat-0458"
],
"matched_patterns": [
"pat-0391",
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0391",
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "vuln_scanner",
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "84c6534ee254dde0af32266cdff575dd",
"path_pattern_hash": "b71c8aad2b015494f15e7bb035951b05"
},
"target_context": {
"dst_port": 5322,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n",
"request_sample": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n",
"payload_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey",
"evidence": {
"request_sample": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n",
"payload_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4c27185ef346d3cfa1f3640c84d6bba3e796f13c",
"protocol_details": {
"ssh_banner": "SSH-2.0-ZGrab ZGrab SSH Survey",
"payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey",
"port": 5322,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey",
"attack_vector": "scanner vuln \u00b7 via SSH:5322 \u00b7 (sonde \/ probe)",
"target_port_label": "5322 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 5322,
"protocol_emulated": null,
"tags_summary": [
"pat-0594",
"pat-0458"
],
"tags_summary_labels_fr": [
"pat-0594",
"pat-0458"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"ssh_banner": "SSH-2.0-ZGrab ZGrab SSH Survey",
"payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey",
"port": 5322,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "scanner vuln \u00b7 via SSH:5322 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey",
"target_port_label": "5322 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.133.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "5322"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "147.185.133.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"ssh_banner"
],
"asn_dc_heuristic": true
}
15/06/2026 01:27:35 UTC
TCP
7699 · HTTP
Scanner web
web scanner · via HTTP:7699 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7699
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.0
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks
Requête brute (extrait)
GET / HTTP/1.0 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept: */*
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7699,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "4c2ad5c3571c2182c5e4e7b1a00f19ac7834a50d",
"event_fingerprint": "19f163e40aedacf1bd1574c6407f70160344cfb5",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "408dddfd3211eda1263e9161f0d91c4d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7699,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aa8cc966ce2e1280197bb859830f3f4956af469d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 7699,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"attack_vector": "web scanner \u00b7 via HTTP:7699 \u00b7 (sonde \/ probe)",
"target_port_label": "7699 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7699,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 7699,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:7699 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"target_port_label": "7699 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.133.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7699"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "147.185.133.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
13/06/2026 17:13:54 UTC
TCP
18888 · TLS
Sonde PostgreSQL
postgres probe · via TLS:18888 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 795bc7ce13f60d61
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
18888
Chemin / cible
—
Service
TLS
Payload
�����������j�����X�*�� s��j��Ԃ�$���������h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ��������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������j�����X�*���s��j��Ԃ�$���������h�����/�+�0�,�����'�#��� �(�$���
�������g�k�3�9���������<�=�/�5�����
��������������
Requête brute (extrait)
�����������j�����X�*�� s��j��Ԃ�$���������h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ���������������2���������8�@�f�j�������5���������� ����������� ����� � � ��������������������
Meta JSON brut
{
"tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 29,
"bytes_in": 207,
"payload_entropy": 4.904413350017625,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 18888,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "93416fb6f64491e11c37fa784de36dab44dd4f79",
"event_fingerprint": "69c7b86970588a77932c018d661c55d2060c15cc",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"payload_hash": "046eb5c9f6820e1064861d8288299006",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "bcc542a5296d13201e694c8f5aa448d9",
"tls_version": "0x0303",
"tls_cipher_count": 52,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0",
"tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9",
"tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 52,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 18888,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\ufffd\u000f\ufffd\ufffd\u0007X\ufffd*\ufffd\ufffd\u000bs\ufffd\ufffdj\ufffd\u0001\u0502\ufffd$\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\ufffd\u000f\ufffd\ufffd\u0007X\ufffd*\ufffd\ufffd\u000bs\ufffd\ufffdj\ufffd\u0001\u0502\ufffd$\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\ufffd\u000f\ufffd\ufffd\u0007X\ufffd*\ufffd\ufffd\u000bs\ufffd\ufffdj\ufffd\u0001\u0502\ufffd$\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7eea8b3171210ca2b3e1b5949cc2df68bbf08f4d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\ufffd\u000f\ufffd\ufffd\u0007X\ufffd*\ufffd\ufffd\u000bs\ufffd\ufffdj\ufffd\u0001\u0502\ufffd$\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_ja4": "bcc542a5296d13201e694c8f5aa448d9",
"port": 18888,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdj\ufffd\ufffd\ufffdX\ufffd*\ufffd\ufffds\ufffd\ufffdj\ufffd\u0502\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:18888 \u00b7 (sonde \/ probe)",
"target_port_label": "18888 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 18888,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\ufffd\u000f\ufffd\ufffd\u0007X\ufffd*\ufffd\ufffd\u000bs\ufffd\ufffdj\ufffd\u0001\u0502\ufffd$\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_ja4": "bcc542a5296d13201e694c8f5aa448d9",
"port": 18888,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:18888 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdj\ufffd\ufffd\ufffdX\ufffd*\ufffd\ufffds\ufffd\ufffdj\ufffd\u0502\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd",
"target_port_label": "18888 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "18888"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
13/06/2026 17:13:53 UTC
TCP
18888 · TLS
Sonde PostgreSQL
postgres probe · via TLS:18888 · (sonde / probe)
Moyenne
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 2196848d251b217d
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
18888
Chemin / cible
—
Service
TLS
Payload
�����������c(�8�Z�d� $�$�����!Q;M��������u �C �m�j���|}T��P P[��~��z%���X����+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������c(�8�Z�d� $�$�����!Q;M��������u �C
�m�j���|}T��P�P[��~��z%���X����+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
�����������c(�8�Z�d� $�$�����!Q;M��������u �C �m�j���|}T��P P[��~��z%���X����+�/�,�0̨̩� ��� �����������_� ��������������������������� � � ����������� �������������������������2�����������������������������+� ����������3��������������t{$*��T���$x\��u��
Meta JSON brut
{
"tls_ja3_hash": "2196848d251b217de8b2c037e356c11d",
"tls_sni": null,
"bytes_in": 1483,
"payload_entropy": 7.72818150984455,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 18888,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "18deced0a5a4545a8fd6c1de8194470c31f93b70",
"event_fingerprint": "0854c2cc1ba8fe36c04db84ecf7dfdf8e6edc416",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "2196848d251b217de8b2c037e356c11d",
"payload_hash": "10bebe4e9dc212db2cd0993120cdd85f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 18888,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003c(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\u001d\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdP\u000bP[\ufffd\ufffd~\u0005\ufffdz%\ufffd\ufffd\ufffdX\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003c(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\u001d\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdP\u000bP[\ufffd\ufffd~\u0005\ufffdz%\ufffd\ufffd\ufffdX\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdt{$*\ufffd\ufffdT\ufffd\ufffd\ufffd$x\\\ufffd\ufffdu\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003c(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\u001d\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdP\u000bP[\ufffd\ufffd~\u0005\ufffdz%\ufffd\ufffd\ufffdX\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "38b8bf1104416110ab282638cd44031d2d7dc973",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003c(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\u001d\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdP\u000bP[\ufffd\ufffd~\u0005\ufffdz%\ufffd\ufffd\ufffdX\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"tls_ja3": "2196848d251b217de8b2c037e356c11d",
"port": 18888,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdc(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdPP[\ufffd\ufffd~\ufffdz%\ufffd\ufffd\ufffdX\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:18888 \u00b7 (sonde \/ probe)",
"target_port_label": "18888 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 18888,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003c(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\u001d\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdP\u000bP[\ufffd\ufffd~\u0005\ufffdz%\ufffd\ufffd\ufffdX\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"tls_ja3": "2196848d251b217de8b2c037e356c11d",
"port": 18888,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:18888 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdc(\ufffd8\ufffdZ\ufffdd\ufffd $\ufffd$\ufffd\ufffd\ufffd\ufffd!Q;M\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu \ufffdC\r\ufffdm\ufffdj\ufffd\ufffd\ufffd|}T\ufffd\ufffdPP[\ufffd\ufffd~\ufffdz%\ufffd\ufffd\ufffdX\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "18888 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "18888"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni"
],
"asn_dc_heuristic": true
}
04/06/2026 06:06:21 UTC
TCP
6973
Sonde SSH
Élevée
Faible · 20
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6973
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-ZGrab ZGrab SSH Survey
Meta JSON brut
{
"bytes_in": 32,
"payload_entropy": 3.965018266288633,
"port_category": "registered",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "US",
"dst_port": 6973,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 20,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "4ccb8801e1ba73820f3e74b4d7233137db160299",
"event_fingerprint": "5e76df57e4180f88abdfd5e1e225f9fcb6943a2b",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "84c6534ee254dde0af32266cdff575dd",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 6973,
"service": "ssh"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n",
"event_signature": "3bc6d62002ab2ba3ad156ea4a3b52ac041f8331b",
"ban_policy": "advisory_monitor",
"tags_list": [
"ssh_banner"
],
"asn_dc_heuristic": true
}
03/06/2026 21:31:24 UTC
TCP
22877
Scanner web
Élevée
Moyen · 44
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
22877
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.0
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 22877,
"risk_waf": 57.5,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 57.5,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 44,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "49271c9eec5c7875def3fe3b8cc8cdde3c2f2aef",
"event_fingerprint": "32d55e0e9fd1627f7d8a4a12b45fe9f6787ec70a",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "408dddfd3211eda1263e9161f0d91c4d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 22877,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"event_signature": "4066b26e260c9cb5ad9e47ac8517c51135a8ec66",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
01/06/2026 09:27:12 UTC
TCP
6289
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
6289
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "043840fd4c3dabbe97cbaa95d3fd9bde249a0d4b",
"event_fingerprint": "c7379284d3cf692cf50c04a855ede72b7c9cbb7b",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
30/05/2026 17:18:28 UTC
TCP
5663
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
5663
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "ef3266e0d11338669c4901b4827a7b25f86b6326",
"event_fingerprint": "526647171ce2fe4d53f1d8fb0015a64f24012232",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
30/05/2026 01:19:39 UTC
TCP
3223
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
3223
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "f4f83051348e79696869aec58da9cce0bbc50fed",
"event_fingerprint": "3b632dc84878c5f339f18bc4e3b766e7c8021972",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
29/05/2026 16:55:36 UTC
TCP
18039
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
18039
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "150bffe02410b101bd98893887c3ba19db8e242e",
"event_fingerprint": "b2950166d5d91a6459d83e05fb5eb94de0047c6e",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
29/05/2026 01:07:05 UTC
TCP
15645
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
15645
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "07446a3206d59f12ebf60588ed4c4811a52bda0f",
"event_fingerprint": "3551dc60c34cbb973ecc86d1bf894732bebcc6ce",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
28/05/2026 05:37:55 UTC
TCP
29010
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
29010
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "b1c3d409bf439c116e34576e4ee41b86306ecccc",
"event_fingerprint": "1c2778bfa0ebd0ffcc57e29d6a941d23067e0427",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
27/05/2026 20:56:02 UTC
TCP
23230
Sonde SSH
Élevée
Élevé · 74
Détails
Étape
—
WAF
—
Recommandation
—
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
27/05/2026 08:57:35 UTC
TCP
18925
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
18925
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "58f7302b9cfd0800c461289142f6fd3dc98e42a5",
"event_fingerprint": "902ce33c7ce36542180323b37695c53ed4f96b64",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
26/05/2026 06:12:30 UTC
TCP
12581
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
12581
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "91fc5f1f5610ba505a1f3b02848fb21f2c6548db",
"event_fingerprint": "fc86b1baf91a83df48cd062982db5ece12ad197e",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
25/05/2026 05:41:36 UTC
TCP
31561
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
31561
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "876a49515d65d1da131a3d00373fd7c6910e808b",
"event_fingerprint": "242e35c83536f8c464abb621aaaf958c8b1d9674",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
24/05/2026 02:03:44 UTC
TCP
14401
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
14401
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "0b5228c9ccee6312be7b63b4a1d52cf3090c0757",
"event_fingerprint": "1b812500a29115d43e96b6dd5160be43a1c27342",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
23/05/2026 22:15:15 UTC
TCP
30022
Sonde SSH
Élevée
Élevé · 74
Détails
Étape
—
WAF
—
Recommandation
—
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 21:31:19 UTC
TCP
28338
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
28338
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "4a510f8702ccd9bb224e60de6792cc166b74d460",
"event_fingerprint": "6fbfd598de553521bb9f16ba12235277875111e0",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
22/05/2026 10:25:48 UTC
TCP
2906
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2906
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "5872851344b7a8928069470f045d2f271ef07149",
"event_fingerprint": "f02956214f791978dee208bca2fded9e4dc46af4",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
22/05/2026 02:22:16 UTC
TCP
8098
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8098
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "85c47ddeb33f86ad31706848f828b6c859fd8929",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.113284242636005,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "7a5c762c533e6e38916776134397cc38dbb7d6d5",
"event_fingerprint": "de06d40bb96912f339d0e19a269a65618236e19b",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
21/05/2026 12:53:01 UTC
TCP
2808
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2808
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "eccf34a7d04a09696881d5b7ebf732f67100dbcd",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.104109930709399,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e94d624a45cf47677af2ea15d41523c3fefc2a95",
"event_fingerprint": "8e8eb5d16ac4de9482c3e9567837d93d0b96f869",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}