{"ip":"147.185.133.136","exported_at":"2026-06-20T11:52:56+00:00","period_days":30,"metrics":{"events7d":6,"distinct_ports":5,"distinct_classifications":2,"max_severity":4,"last_sensor_id":"paris-1","max_waf_score":23,"max_risk_score":100,"attack_stage":"probe","attack_chain_stage":"reconnaissance","threat_family":["disclosed_scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":57.5,"classification":42,"behavior":0,"geo":40,"protocol":35,"novelty":25},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1595","top_mitre_technique":"T1595","top_mitre_count":4,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 47\/100","campaign_hint_fr":"Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.133.0\/24, \u22653 pairs)","confidence_breakdown":{"waf":57.5,"classification":42,"behavior":0,"geo":40,"protocol":35,"novelty":25,"risk_score":47,"correlation_boost":10},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["scan_coordonn\u00e9"],"correlation_flags_labels_fr":["Scan coordonn\u00e9"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +10","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Scanner Palo Alto","Upstream","Waf Score"],"tags_summary":["INT-scanner-palo-alto","INT-upstream","INT-waf-score"],"attack_vector":"web scanner \u00b7 via HTTP:9226 \u00b7 (sonde \/ probe)","protocol_details":{"http_method":"GET","http_path":"\/","request_line":"GET \/ HTTP\/1.1","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026","port":9226,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/ \u00b7 UA Hello from Palo Alto Networks, find out more ab\u2026 \u00b7 HTTP:9226","evidence_snippet":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9226\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-","target_port_label":"9226 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 4 tag(s) WAF","classification_reason":"User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%","classification_reason_label_fr":"User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 57 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF","payload_preview":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9226\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-"},"events":[{"id":9721641,"ip":"147.185.133.136","ts":"2026-06-20 05:42:07.000000","proto":"tcp","src_port":57378,"dst_port":9226,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: \u00224b58cc9ef5df334d1191c97425fdf7566df18704\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.100647144002227, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9226, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b48b0c2b40cf66ec57756d6517183da29b77d438\u0022, \u0022event_fingerprint\u0022: \u0022bbb2b4a9ad4990d94e8dd185ca75763d2442408e\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Palo Alto Networks\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022e6f2bf1a23a305cd2385ff775992c2f8\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9226, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220b31ab9821f3c8a7ed3216dfe5f32b82838e2b5a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 9226, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:9226 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229226 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9226, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Palo Alto\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 9226, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:9226 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9226\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022target_port_label\u0022: \u00229226 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 57 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.133.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229226\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022147.185.133.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9226","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":218},{"id":9681595,"ip":"147.185.133.136","ts":"2026-06-19 21:29:28.000000","proto":"tcp","src_port":50771,"dst_port":22311,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 22311, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f5746b93c7b9b1cdd4ec7b2eae0b32e9ffc9db\u0022, \u0022event_fingerprint\u0022: \u0022b8b876172276b5b28c0db85e137360a8969dd88a\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Palo Alto Networks\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022408dddfd3211eda1263e9161f0d91c4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22311, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002259a48fb027e2725b5d24671d8d21d9f14fdfd376\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 22311, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:22311 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222311 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 22311, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Palo Alto\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 22311, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:22311 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022target_port_label\u0022: \u002222311 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222311\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":185},{"id":9583508,"ip":"147.185.133.136","ts":"2026-06-18 14:16:16.000000","proto":"tcp","src_port":63556,"dst_port":3977,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 1483, \u0022payload_entropy\u0022: 7.729676494735662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3977, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002225efff1fd8db9da2625037f717b5eda28434e440\u0022, \u0022event_fingerprint\u0022: \u0022291e1a5831460c0a48228d1422d89fd3676e924a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022payload_hash\u0022: \u0022212ed2d7045ab2115e8cbb74e46f0596\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd8\\u0013(I)\ufffd]@W\ufffd\\u0018\ufffdV\ufffd#v\\u0014\u00fen\ufffd\ufffd_\ufffd\\u0019)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\\u0000\ufffd\ufffd\ufffd0\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd8\\u0013(I)\ufffd]@W\ufffd\\u0018\ufffdV\ufffd#v\\u0014\u00fen\ufffd\ufffd_\ufffd\\u0019)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\\u0000\ufffd\ufffd\ufffd0\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\f\\u0000\\n\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\u32b8\ufffd\ufffd\\u0004\ufffd\ufffd4\\u001c\u0026\\u001b\ufffd\ufffd\ufffdC\\u0012\ufffd7\ufffd9\\u0010\\u0001\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd8\\u0013(I)\ufffd]@W\ufffd\\u0018\ufffdV\ufffd#v\\u0014\u00fen\ufffd\ufffd_\ufffd\\u0019)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\\u0000\ufffd\ufffd\ufffd0\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e54ef133feb3dd0dbc3c3c8b37529fa03391d856\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd8\\u0013(I)\ufffd]@W\ufffd\\u0018\ufffdV\ufffd#v\\u0014\u00fen\ufffd\ufffd_\ufffd\\u0019)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\\u0000\ufffd\ufffd\ufffd0\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd8(I)\ufffd]@W\ufffd\ufffdV\ufffd#v\u00fen\ufffd\ufffd_\ufffd)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\ufffd\ufffd\ufffd0\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd_\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:3977 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223977 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 3977, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd8\\u0013(I)\ufffd]@W\ufffd\\u0018\ufffdV\ufffd#v\\u0014\u00fen\ufffd\ufffd_\ufffd\\u0019)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\\u0000\ufffd\ufffd\ufffd0\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:3977 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd8(I)\ufffd]@W\ufffd\ufffdV\ufffd#v\u00fen\ufffd\ufffd_\ufffd)\ufffdY` _i4\ufffd\\n2\u0360:\ufffd~p\ufffd\ufffd77\ufffd\u0027v;\ufffdc]y\ufffd}\ufffd\ufffd\ufffd\ufffd0\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd_\ufffd\u0022, \u0022target_port_label\u0022: \u00223977 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223977\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"2196848d251b217de8b2c037e356c11d","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-4865-4866-4867,11-65281-23-18-5-10-13-50-43-51,4588-29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":1483},{"id":9583509,"ip":"147.185.133.136","ts":"2026-06-18 14:16:16.000000","proto":"tcp","src_port":63566,"dst_port":3977,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 29, \u0022bytes_in\u0022: 207, \u0022payload_entropy\u0022: 4.944079604614147, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3977, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221d751d67bad2b0e3c7191de1927b07bb5950ad8f\u0022, \u0022event_fingerprint\u0022: \u00229854935d5d681acd89202019b337c0c0e5465230\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022payload_hash\u0022: \u00221225fc2b67e32d8e988df62cf2f58164\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u0022bcc542a5296d13201e694c8f5aa448d9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 52, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022bcc542a5296d13201e694c8f5aa448d9\u0022, \u0022tls_ja4\u0022: \u0022t13d0152_4fb103f5e16c_40d2e578a3e2\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 52, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffd\\u0011M\ufffdn\\u0010}5\\u0012\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffd\\u0011M\ufffdn\\u0010}5\\u0012\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\\u00002\ufffd\\b\\u0000\\u0012\\u0000\\u0013\\u0000\\u0015\\u00008\\u0000@\\u0000f\\u0000j\\u0000\ufffd\\u0000\ufffd\\u0001\\u0000\\u00005\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\f\\u0000\\n\\u0004\\u0001\\u0004\\u0003\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u000f\\u0000\\u0001\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffd\\u0011M\ufffdn\\u0010}5\\u0012\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221511a462a288ed56107ea2a49243766ffe4a7434\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffd\\u0011M\ufffdn\\u0010}5\\u0012\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022tls_ja3\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022tls_ja4\u0022: \u0022bcc542a5296d13201e694c8f5aa448d9\u0022, \u0022port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffdM\ufffdn}5\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd\u0027\ufffd#\ufffd\ufffd\\t\ufffd(\ufffd$\ufffd\ufffd\\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd\u003C=\/5\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:3977 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223977 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 3977, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffd\\u0011M\ufffdn\\u0010}5\\u0012\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022tls_ja3\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022tls_ja4\u0022: \u0022bcc542a5296d13201e694c8f5aa448d9\u0022, \u0022port\u0022: 3977, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:3977 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdq\ufffd)\ufffd\ufffd\ufffdj\ufffdU\ufffdD\ufffdM\ufffdn}5\ufffd\u05df\ufffd\ufffdW\ufffdQ\ufffd)h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd\u0027\ufffd#\ufffd\ufffd\\t\ufffd(\ufffd$\ufffd\ufffd\\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd\u003C=\/5\ufffd\u0022, \u0022target_port_label\u0022: \u00223977 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223977\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"795bc7ce13f60d61e9ac03611dd36d90","tls_ja3":"771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":207},{"id":9391282,"ip":"147.185.133.136","ts":"2026-06-16 14:12:30.000000","proto":"tcp","src_port":50688,"dst_port":16527,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 16527, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002251704846f9f16529f74dff4826535f624cd6afb2\u0022, \u0022event_fingerprint\u0022: \u002240a9caf51e360e55e2d1f3034c42ac7ba909b4a2\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Palo Alto Networks\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022408dddfd3211eda1263e9161f0d91c4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16527, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213dddccb33f54f3e0135a984eddda5b5981d8cbb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 16527, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:16527 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216527 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 16527, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Palo Alto\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 16527, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:16527 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022target_port_label\u0022: \u002216527 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 57 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.133.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216527\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022147.185.133.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":185},{"id":8850593,"ip":"147.185.133.136","ts":"2026-06-13 21:13:48.000000","proto":"tcp","src_port":58354,"dst_port":9329,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: \u00229bb86361fcc12bfc4d3de44d8f168c1afb7d323e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.098398405489966, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9329, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a6f3c581b5e6c6a07042feb99c4e6b8ea13957c3\u0022, \u0022event_fingerprint\u0022: \u0022281c80e4e240dfb5c1bb31bca9a1961e8022fffd\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Palo Alto Networks\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022a6b5e9cee54bd97ed38b147190a03fd3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9329, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239ed4942ab7d48fcc5206a9b9640c5710016566a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 9329, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:9329 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229329 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9329, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Palo Alto\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026\u0022, \u0022port\u0022: 9329, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:9329 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9329\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-\u0022, \u0022target_port_label\u0022: \u00229329 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229329\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9329","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":218},{"id":8451289,"ip":"147.185.133.136","ts":"2026-06-07 07:16:59.000000","proto":"tcp","src_port":52123,"dst_port":23023,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 23023, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224b05a9acd5555bf30db3d6bcb3dd915e6486d966\u0022, \u0022event_fingerprint\u0022: \u00224a1da601b79412d82eab8941db3f6b6f3b68d411\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 23023, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002258403d4eb20cc4df3a4b5e832dd8921a98ff8b09\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002223023\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8368570,"ip":"147.185.133.136","ts":"2026-06-06 05:45:03.000000","proto":"tcp","src_port":53293,"dst_port":28439,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 28439, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c3bd927aeafc918afef54e1748685227da3a30cc\u0022, \u0022event_fingerprint\u0022: \u00227125969b438439e1105fe6ec7e78a3aa5ba044ab\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-palo-alto\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Palo Alto Networks\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0460\u0022], \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022408dddfd3211eda1263e9161f0d91c4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28439, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022987327eb9ce15104986b397779db6a382ff7471c\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":185},{"id":8357983,"ip":"147.185.133.136","ts":"2026-06-06 01:44:07.000000","proto":"tcp","src_port":62122,"dst_port":8520,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 1483, \u0022payload_entropy\u0022: 7.707915461360728, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8520, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 23, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b8eb14f396cc21b5c20bb6af2e94da2341e42165\u0022, \u0022event_fingerprint\u0022: \u0022776cd2f435e35495aad23ebda10bb887afbb49d2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022payload_hash\u0022: \u002239dd0520a007472babb8713a7be7aafa\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8520, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003tC\ufffdu\u003C\ufffdi_\ufffd\ufffd\ufffdP\ufffdy\u003E\ufffd\ufffd\u023d\\u0000U3\ufffd\\u0000\u01463p\ufffd\ufffd\ufffd p\ufffd=\u003Ez\ufffdv\ufffd\ufffd\\u0006V\ufffd\ufffd\u0449KIn\\u0007\ufffde\ufffd\ufffd\ufffd\u038b*s\ufffd\ufffd\ufffdb\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003tC\ufffdu\u003C\ufffdi_\ufffd\ufffd\ufffdP\ufffdy\u003E\ufffd\ufffd\u023d\\u0000U3\ufffd\\u0000\u01463p\ufffd\ufffd\ufffd p\ufffd=\u003Ez\ufffdv\ufffd\ufffd\\u0006V\ufffd\ufffd\u0449KIn\\u0007\ufffde\ufffd\ufffd\ufffd\u038b*s\ufffd\ufffd\ufffdb\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\f\\u0000\\n\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\u058c!a\ufffd:h\ufffd\ufffd\\u0010( \ufffd\ufffd,\ufffdu?\\u0012y\ufffdG-\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003tC\ufffdu\u003C\ufffdi_\ufffd\ufffd\ufffdP\ufffdy\u003E\ufffd\ufffd\u023d\\u0000U3\ufffd\\u0000\u01463p\ufffd\ufffd\ufffd p\ufffd=\u003Ez\ufffdv\ufffd\ufffd\\u0006V\ufffd\ufffd\u0449KIn\\u0007\ufffde\ufffd\ufffd\ufffd\u038b*s\ufffd\ufffd\ufffdb\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003tC\ufffdu\u003C\ufffdi_\ufffd\ufffd\ufffdP\ufffdy\u003E\ufffd\ufffd\u023d\\u0000U3\ufffd\\u0000\u01463p\ufffd\ufffd\ufffd p\ufffd=\u003Ez\ufffdv\ufffd\ufffd\\u0006V\ufffd\ufffd\u0449KIn\\u0007\ufffde\ufffd\ufffd\ufffd\u038b*s\ufffd\ufffd\ufffdb\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\f\\u0000\\n\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\u058c!a\ufffd:h\ufffd\ufffd\\u0010( \ufffd\ufffd,\ufffdu?\\u0012y\ufffdG-\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003tC\ufffdu\u003C\ufffdi_\ufffd\ufffd\ufffdP\ufffdy\u003E\ufffd\ufffd\u023d\\u0000U3\ufffd\\u0000\u01463p\ufffd\ufffd\ufffd p\ufffd=\u003Ez\ufffdv\ufffd\ufffd\\u0006V\ufffd\ufffd\u0449KIn\\u0007\ufffde\ufffd\ufffd\ufffd\u038b*s\ufffd\ufffd\ufffdb\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005_\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002215cbc04f600e566e250bbe3180d6245671d25a56\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"2196848d251b217de8b2c037e356c11d","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-4865-4866-4867,11-65281-23-18-5-10-13-50-43-51,4588-29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":1483},{"id":8357984,"ip":"147.185.133.136","ts":"2026-06-06 01:44:07.000000","proto":"tcp","src_port":62138,"dst_port":8520,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 29, \u0022bytes_in\u0022: 207, \u0022payload_entropy\u0022: 4.869412806549816, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8520, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 29, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002217dc56bd7a9d951a332449ae80596763405791cc\u0022, \u0022event_fingerprint\u0022: \u0022eacdae14c51312710fca60f0ae2518241d18ad16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022payload_hash\u0022: \u00221ec071842fd5a79db2b794bbadecb722\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8520, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001f, H\\u0001Y\ufffd\ufffd\ufffd\\rS\ufffd2\\u001e\\u0004\\r,3#+\ufffd\ufffd \ufffdl\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001f, H\\u0001Y\ufffd\ufffd\ufffd\\rS\ufffd2\\u001e\\u0004\\r,3#+\ufffd\ufffd \ufffdl\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\\u00002\ufffd\\b\\u0000\\u0012\\u0000\\u0013\\u0000\\u0015\\u00008\\u0000@\\u0000f\\u0000j\\u0000\ufffd\\u0000\ufffd\\u0001\\u0000\\u00005\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\f\\u0000\\n\\u0004\\u0001\\u0004\\u0003\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u000f\\u0000\\u0001\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001f, H\\u0001Y\ufffd\ufffd\ufffd\\rS\ufffd2\\u001e\\u0004\\r,3#+\ufffd\ufffd \ufffdl\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001f, H\\u0001Y\ufffd\ufffd\ufffd\\rS\ufffd2\\u001e\\u0004\\r,3#+\ufffd\ufffd \ufffdl\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\\u00002\ufffd\\b\\u0000\\u0012\\u0000\\u0013\\u0000\\u0015\\u00008\\u0000@\\u0000f\\u0000j\\u0000\ufffd\\u0000\ufffd\\u0001\\u0000\\u00005\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\f\\u0000\\n\\u0004\\u0001\\u0004\\u0003\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u000f\\u0000\\u0001\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001f, H\\u0001Y\ufffd\ufffd\ufffd\\rS\ufffd2\\u001e\\u0004\\r,3#+\ufffd\ufffd \ufffdl\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\\u0000\\u0000h\ufffd\\u0014\ufffd\\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\\u0011\ufffd\\u0007\ufffd\u0027\ufffd#\ufffd\\u0013\ufffd\\t\ufffd(\ufffd$\ufffd\\u0014\ufffd\\n\ufffd\\u0015\\u0000\ufffd\\u0000\ufffd\\u0000g\\u0000k\\u00003\\u00009\\u0000\ufffd\\u0000\ufffd\\u0000\\u0005\\u0000\\u0004\\u0000\u003C\\u0000=\\u0000\/\\u00005\ufffd\\u0012\\u0000\\u0016\\u0000\\n\\u0000\\u0003\\u0000\\b\\u0000\\u0006\\u0000\\u0014\\u0000\\u0011\\u0000\\u0019\\u0000\\u0017\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ad323d883695cf676329d3447b7598f4d442c5d\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"795bc7ce13f60d61e9ac03611dd36d90","tls_ja3":"771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":207},{"id":8167521,"ip":"147.185.133.136","ts":"2026-06-03 21:36:59.000000","proto":"tcp","src_port":50444,"dst_port":27353,"service":"http","classification":"web_scanner","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 27353, \u0022risk_waf\u0022: 57.5, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 57.5, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ee72cc9cc50e03b715829c58e45a9a20bbadc137\u0022, \u0022event_fingerprint\u0022: \u002287e0edfcca58dd442ee2c4bd1a0c0bbc72045db5\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022408dddfd3211eda1263e9161f0d91c4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 27353, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022event_signature\u0022: \u00226cf55baee6a04df8c4e253be4eeaec4ab4e8182f\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":185},{"id":8161098,"ip":"147.185.133.136","ts":"2026-06-03 17:14:43.000000","proto":"tcp","src_port":51310,"dst_port":4153,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b88e3f4d464d718f8838c404f1d2b1fd9c37c34c\u0022, \u0022event_fingerprint\u0022: \u00225f076aaf822914d3053abfedfdd3294b1a05fcb1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ce3935d92be5f9290d282e51ab604b41\u0022, \u0022payload_hash\u0022: \u0022408dddfd3211eda1263e9161f0d91c4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4153, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks\u0022, \u0022event_signature\u0022: \u00223a7b3582e26728e24ffeb93554d917dff5a9e910\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":8147357,"ip":"147.185.133.136","ts":"2026-06-01 17:50:47.000000","proto":"tcp","src_port":51828,"dst_port":24851,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00225c2157b512d1a6c11f1cdfd3a9a7999cda95b9cc\u0022, \u0022event_fingerprint\u0022: \u00223f8c57f40bbc0299e2e53cb1442d49cca18d6ed5\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":8016296,"ip":"147.185.133.136","ts":"2026-05-30 23:13:48.000000","proto":"tcp","src_port":52433,"dst_port":12424,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00227ec8cd46405ce2cf59a15600ccb425cc8ec7596c\u0022, \u0022event_fingerprint\u0022: \u0022855b91ecc419e3ceb8fe902fa53e49026a649ecd\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7983713,"ip":"147.185.133.136","ts":"2026-05-30 07:31:10.000000","proto":"tcp","src_port":60394,"dst_port":9077,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: \u00223762ce37cd08411e43b637946925d082a1979f33\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.113284242636005, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00224869b7d55d9d358703836dea2445aaa856f545d2\u0022, \u0022event_fingerprint\u0022: \u002299fd69b65421eafcbfbdaf7b1983815efacfe88b\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9077","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":7949781,"ip":"147.185.133.136","ts":"2026-05-29 18:31:05.000000","proto":"tcp","src_port":58626,"dst_port":9281,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: \u0022e4e3a7696f1434cf2337a2ebdcad9a27cc3039a0\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.107572717416572, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022503e18328b6c1e56d7eaec81e679adae8fb4f793\u0022, \u0022event_fingerprint\u0022: \u0022f180f5c44daab4784da9185adbbae0367717d6d6\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9281","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":7922234,"ip":"147.185.133.136","ts":"2026-05-29 05:30:01.000000","proto":"tcp","src_port":59546,"dst_port":13416,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00222196848d251b217de8b2c037e356c11d\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 1483, \u0022payload_entropy\u0022: 7.711570109155559, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b05915c6683f40c5d5a00b6aa521661030af849f\u0022, \u0022event_fingerprint\u0022: \u00222456190a5544431de6c1e56662aedcdfeeb34ebb\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"2196848d251b217de8b2c037e356c11d","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-4865-4866-4867,11-65281-23-18-5-10-13-50-43-51,4588-29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":1483},{"id":7922235,"ip":"147.185.133.136","ts":"2026-05-29 05:30:01.000000","proto":"tcp","src_port":59558,"dst_port":13416,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022795bc7ce13f60d61e9ac03611dd36d90\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 207, \u0022payload_entropy\u0022: 4.882461790594033, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b05915c6683f40c5d5a00b6aa521661030af849f\u0022, \u0022event_fingerprint\u0022: \u0022a9cfb99b8690e6dd5112e9c6ba82e5420c318629\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"795bc7ce13f60d61e9ac03611dd36d90","tls_ja3":"771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":207},{"id":7874249,"ip":"147.185.133.136","ts":"2026-05-28 09:22:16.000000","proto":"tcp","src_port":49336,"dst_port":2757,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00225816ed2f32792221f17289533b0999ca89ab82b3\u0022, \u0022event_fingerprint\u0022: \u0022828bbc4e8a68833bd999643902df71bc4c5c3a4d\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7783240,"ip":"147.185.133.136","ts":"2026-05-27 09:03:30.000000","proto":"tcp","src_port":52083,"dst_port":25737,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022916350e647253fba683788889f36f94db4182ddf\u0022, \u0022event_fingerprint\u0022: \u002207db5017aa3426e4e925ccc9f0911092064ef8bc\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7738383,"ip":"147.185.133.136","ts":"2026-05-26 06:25:01.000000","proto":"tcp","src_port":55567,"dst_port":21265,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022f000896351772f7cee56d8a83391c6cd1afd1ee2\u0022, \u0022event_fingerprint\u0022: \u0022ff883db2dd908a4c1986ce76f469f16245bea2d2\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7678718,"ip":"147.185.133.136","ts":"2026-05-24 22:05:52.000000","proto":"tcp","src_port":51966,"dst_port":14815,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00229d19b791c821d420989a8da37fefdbd9193af01b\u0022, \u0022event_fingerprint\u0022: \u00222770b83682c4d6dfb153370a860b7c23c7cafbfd\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7654409,"ip":"147.185.133.136","ts":"2026-05-24 09:26:43.000000","proto":"tcp","src_port":54139,"dst_port":22461,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00229c3f0d2e501e9762f8107c91ab19eb37375b3783\u0022, \u0022event_fingerprint\u0022: \u002278b4899592721452f03d9640bc1d5a8d35b51aa8\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7627150,"ip":"147.185.133.136","ts":"2026-05-23 22:03:48.000000","proto":"tcp","src_port":49268,"dst_port":32546,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022a1243677eee11e67f40cf3514b4b7d515e5210df\u0022, \u0022event_fingerprint\u0022: \u0022e24d98149304fa4fa5aa10a5726a56dc2f91c214\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7606475,"ip":"147.185.133.136","ts":"2026-05-23 14:09:23.000000","proto":"tcp","src_port":54744,"dst_port":18146,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00227812a247483562c0c09fa90531648d31bac1b809\u0022, \u0022event_fingerprint\u0022: \u00225ffd2770715efe70365ca5579178b0acd1d840f8\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7605125,"ip":"147.185.133.136","ts":"2026-05-23 13:48:59.000000","proto":"tcp","src_port":60582,"dst_port":8811,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: \u0022eff019b255c28b5a2880ca4806aa8124ee52a958\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.091014733588879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00227cbabb0ba74d24bfe8f30ce159364ef0aa1bb290\u0022, \u0022event_fingerprint\u0022: \u0022db493924bec747475d0d8ca392f187ded07c723d\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8811","http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":7566365,"ip":"147.185.133.136","ts":"2026-05-23 01:54:11.000000","proto":"tcp","src_port":55508,"dst_port":28651,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u002254d3d8dd757864d8dac538c5d0cf1c293b2c031f\u0022, \u0022event_fingerprint\u0022: \u00221ca014181f8bea95453db95d95c0f52f932706fa\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":7455284,"ip":"147.185.133.136","ts":"2026-05-21 13:15:55.000000","proto":"tcp","src_port":53980,"dst_port":25166,"service":"http","classification":"web_attack","waf_score":23,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022689bfbab10519e1ecf247982c128c7460ee59d4d\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 4.938089755714326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u002271010858d3196a2c6635985b5c2143c00d6eef1c\u0022, \u0022event_fingerprint\u0022: \u0022fd8bb367260f0479b0ca8c76451c14f7ae8c99a6\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":185}],"total_events":28}