{"ip":"160.119.76.85","exported_at":"2026-07-16T23:38:08+00:00","period_days":30,"metrics":{"events7d":73,"distinct_ports":1,"distinct_classifications":1,"max_severity":5,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":45,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.69,"risk_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":73,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 45\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":45},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":69,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0769","Upstream"],"tags_summary":["pat-0769","INT-upstream"],"attack_vector":"sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\r\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828","port":5060,"service":"sip","service_label_fr":"SIP"},"protocol_summary_fr":"Payload INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\r\nVia: SIP\/2.0\u2026 \u00b7 SIP:5060","evidence_snippet":"INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\r\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828","target_port_label":"5060 \u00b7 SIP","emulator_service":"sip","confidence_reason":"Confiance 69 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%","classification_reason_label_fr":"Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%","confidence_factors_fr":"Confiance 69 % \u2014 Score WAF 8","payload_preview":"INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\r\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828"},"events":[{"id":11118637,"ip":"160.119.76.85","ts":"2026-07-11 13:28:02.000000","proto":"tcp","src_port":42096,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1054, \u0022payload_entropy\u0022: 5.5461723009162744, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227ba421b8d97af9e59b8ae811dd22f9df\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c8284b;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d0188e77\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 74t0AA18uMvW50\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c8284b;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d0188e77\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 74t0AA18uMvW50\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e34ea481bc2d30486be9b1146bb90a498123125\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42096;branch=z9hG4bK-524287-1---ba4ff3e3a6c828\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1054},{"id":11117695,"ip":"160.119.76.85","ts":"2026-07-11 13:15:02.000000","proto":"tcp","src_port":2802,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1053, \u0022payload_entropy\u0022: 5.562151686574379, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002227ea509783029b5a833d003ea5f19cde\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b2;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=23a50d72\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Zm9PITRQevTsHPJ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b2;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=23a50d72\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Zm9PITRQevTsHPJ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e39b2c4df62544e91e530b6b755ab759325f089d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:2802;branch=z9hG4bK-524287-1---baa2e57c64b1c3b\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1053},{"id":11117338,"ip":"160.119.76.85","ts":"2026-07-11 13:10:42.000000","proto":"tcp","src_port":9064,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1056, \u0022payload_entropy\u0022: 5.561957209496192, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002250be74e2f58c1ea586590e16cd97c594\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971b;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=95db1bbc\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: gNFmhlU05UvzWME\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971b;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=95db1bbc\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: gNFmhlU05UvzWME\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d8b5c5c9a36b13d8203c446e891fe1f80ae4e514\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:9064;branch=z9hG4bK-524287-1---642b2721f859971\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1056},{"id":11109015,"ip":"160.119.76.85","ts":"2026-07-11 12:40:20.000000","proto":"tcp","src_port":29168,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1056, \u0022payload_entropy\u0022: 5.556831477297991, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002237e8dd2747c04333fc54d81784416a92\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f24a;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=447a5436\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ljbjisnNE2gWRv\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f24a;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=447a5436\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ljbjisnNE2gWRv\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e0afa16baaf94d02bc46f015981a8ea16233af93\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:29168;branch=z9hG4bK-524287-1---12d93126c3e6f2\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1056},{"id":11105343,"ip":"160.119.76.85","ts":"2026-07-11 12:31:40.000000","proto":"tcp","src_port":11292,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1072, \u0022payload_entropy\u0022: 5.5447098280102, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002201a2ea8b5a06a8b20900aac9ad931a0c\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605afa;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=09ec661a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Ygl3drZBoYHgG1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605afa;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=09ec661a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Ygl3drZBoYHgG1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002265b85fa7ea33a33390f2fcf8756ab45a50fc72d6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:11292;branch=z9hG4bK-524287-1---b987091f2b605a\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1072},{"id":11104780,"ip":"160.119.76.85","ts":"2026-07-11 12:22:59.000000","proto":"tcp","src_port":6506,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1056, \u0022payload_entropy\u0022: 5.547428361188848, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223d0c84a2c8a2c68c353ba84ac9671f9c\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f3141;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=922cf500\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: FJNLl1PUg75089a\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f3141;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=922cf500\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: FJNLl1PUg75089a\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229ac5f145ed65d0dc9307ba967943632ce61b2677\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:6506;branch=z9hG4bK-524287-1---a4b33a28721f314\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1056},{"id":11091012,"ip":"160.119.76.85","ts":"2026-07-11 11:56:58.000000","proto":"tcp","src_port":3116,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1065, \u0022payload_entropy\u0022: 5.560012518636216, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022439e61298ca0c856a6899cdedb569b5d\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99a;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=5c01326a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: r5pO95ncTY7Zjc3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99a;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=5c01326a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: r5pO95ncTY7Zjc3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002274c655268356fe845e022c7c3751cfee9093105d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3116;branch=z9hG4bK-524287-1---2329081bd187c99\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1065},{"id":11077164,"ip":"160.119.76.85","ts":"2026-07-11 11:22:15.000000","proto":"tcp","src_port":5408,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1070, \u0022payload_entropy\u0022: 5.570557529931202, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227f185967e0d514f3a419f009ee125614\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d37913;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fd39f80e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: TOZGKTW7HAm51p4\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d37913;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fd39f80e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: TOZGKTW7HAm51p4\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002295d48a497c4550ef1e15a9c4efd1c5dc83188788\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5408;branch=z9hG4bK-524287-1---9b5b78ba40d3791\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1070},{"id":11075495,"ip":"160.119.76.85","ts":"2026-07-11 11:17:55.000000","proto":"tcp","src_port":15008,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1061, \u0022payload_entropy\u0022: 5.570102548170897, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227b26f6a2f3222d9ea9f2e3116c8f7bd7\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08b7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=9c607cde\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: MmwGkTEhzAxYgl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08b7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=9c607cde\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: MmwGkTEhzAxYgl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002240f45fcfcbe8f650ebfc87425abd59fb900f8950\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:15008;branch=z9hG4bK-524287-1---95db3910b4fd08\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1061},{"id":11071968,"ip":"160.119.76.85","ts":"2026-07-11 11:13:34.000000","proto":"tcp","src_port":1474,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1054, \u0022payload_entropy\u0022: 5.564959804859641, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220cf02a6ecdaecfd2aad9f1ead55474ee\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc3387;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0de94952\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ogCB2VWbelcsKpS\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc3387;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0de94952\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ogCB2VWbelcsKpS\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222728d20101b1b5a59e399d753d58dc2c62aad892\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1474;branch=z9hG4bK-524287-1---79309c019cfc338\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1054},{"id":11069645,"ip":"160.119.76.85","ts":"2026-07-11 10:43:12.000000","proto":"tcp","src_port":45708,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1066, \u0022payload_entropy\u0022: 5.554594310950221, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002252dd92d9c3cd29220c09297d4698c587\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc1082454;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a2b373c5\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 7KI2aePNmCRfEF\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc1082454;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a2b373c5\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 7KI2aePNmCRfEF\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225d7f32f9ce93bebf8b901f7f745747a2d9c147fe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:45708;branch=z9hG4bK-524287-1---a65221dfc10824\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1066},{"id":11068729,"ip":"160.119.76.85","ts":"2026-07-11 10:30:11.000000","proto":"tcp","src_port":55616,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1055, \u0022payload_entropy\u0022: 5.547204504073663, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244d4add2201181b76e8934fee4dffe63\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de49f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fa362cc9\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: OEIKaaLcTva92L\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de49f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fa362cc9\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: OEIKaaLcTva92L\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002231e79392bcf8bedc26003f661f8c09e9f4bdc9e8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:55616;branch=z9hG4bK-524287-1---1dceceeef26de4\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1055},{"id":11064994,"ip":"160.119.76.85","ts":"2026-07-11 10:17:10.000000","proto":"tcp","src_port":43026,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1072, \u0022payload_entropy\u0022: 5.562944055840423, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227b314db16fad479b69d761082d86d042\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c30;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=702f82da\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 9hfNl1UJ2F3hNl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c30;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=702f82da\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 9hfNl1UJ2F3hNl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ca011c71cd02e7a123c32e90fa03e5269fe519e6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:43026;branch=z9hG4bK-524287-1---17f0e21708530c\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1072},{"id":11064731,"ip":"160.119.76.85","ts":"2026-07-11 10:12:50.000000","proto":"tcp","src_port":8360,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1106, \u0022payload_entropy\u0022: 5.568653109820746, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a805acc2daf5502a4250f831c5a560ef\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760cc;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=3f55b137\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 3Wla8AAcePJJ3w1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760cc;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=3f55b137\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 3Wla8AAcePJJ3w1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aef365219675a38fd507133b39aa57771e7d687d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:8360;branch=z9hG4bK-524287-1---4cd84da0f39760c\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1106},{"id":11063920,"ip":"160.119.76.85","ts":"2026-07-11 09:59:48.000000","proto":"tcp","src_port":32132,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1063, \u0022payload_entropy\u0022: 5.559979586682561, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f61c2e51413b27bafc4df5cfeee30b97\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a69e;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=47ce2cce\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: kFibxFxP5SvyPq\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a69e;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=47ce2cce\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: kFibxFxP5SvyPq\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cae59d39f3b3960e81699e0a0bf746716561d41d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:32132;branch=z9hG4bK-524287-1---0f2e23fe5803a6\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1063},{"id":11063128,"ip":"160.119.76.85","ts":"2026-07-11 09:46:47.000000","proto":"tcp","src_port":44772,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1058, \u0022payload_entropy\u0022: 5.564933797496557, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022acea14032c490640fd92e783bb146f21\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c041;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=5b32cd5f\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Vfnhn4TsDuj3vZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c041;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=5b32cd5f\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Vfnhn4TsDuj3vZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ca98da9aa4f0ea23ae3948b77e9d2f8727cfcfd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44772;branch=z9hG4bK-524287-1---99d7c3d1ef58c0\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1058},{"id":11061653,"ip":"160.119.76.85","ts":"2026-07-11 09:25:04.000000","proto":"tcp","src_port":1566,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1063, \u0022payload_entropy\u0022: 5.54770380103298, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c147ab527bc409cc49f22ef915640e10\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd2;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=ca868385\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: DB3dJJnplY6HtTC\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd2;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=ca868385\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: DB3dJJnplY6HtTC\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c04b1e2db5c23f15431b18836f6caf5a2692e320\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1566;branch=z9hG4bK-524287-1---72daae4b1d6edfd\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1063},{"id":11048760,"ip":"160.119.76.85","ts":"2026-07-11 09:20:44.000000","proto":"tcp","src_port":28564,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1074, \u0022payload_entropy\u0022: 5.566808859238578, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fd47357321f90646c46ec36b39bc0504\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9c4;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d3aee243\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0fKCFJM9e0eOII\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9c4;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d3aee243\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0fKCFJM9e0eOII\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222e8c4ed8037e203261acc7f2009f6049b40cd3de\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28564;branch=z9hG4bK-524287-1---d4fbf4ee450fe9\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1074},{"id":11034903,"ip":"160.119.76.85","ts":"2026-07-11 08:37:19.000000","proto":"tcp","src_port":24478,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1051, \u0022payload_entropy\u0022: 5.566830886289272, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002286cdcad132ad012bf5b6dd987b6a00c7\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f72;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=1aab82b3\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: vj7lE7ZKZMq4A8\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f72;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=1aab82b3\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: vj7lE7ZKZMq4A8\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8bd26ca3abe838f0d4e073a3d9a698461a90bd3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:24478;branch=z9hG4bK-524287-1---8e72196850397f\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1051},{"id":11028754,"ip":"160.119.76.85","ts":"2026-07-11 08:28:38.000000","proto":"tcp","src_port":53934,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1059, \u0022payload_entropy\u0022: 5.566261860667936, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ef2928d82216a2f8a0af73bf27d3a81\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb57;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=afacb01d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: PF7CkaO7VWyRlJ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb57;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=afacb01d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: PF7CkaO7VWyRlJ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222260725a14824fc06a6311d90dd79428adcd4218\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:53934;branch=z9hG4bK-524287-1---096ff68099f2bb\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1059},{"id":11024990,"ip":"160.119.76.85","ts":"2026-07-11 08:15:36.000000","proto":"tcp","src_port":31198,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1070, \u0022payload_entropy\u0022: 5.550642102057776, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e29048d563f9c560833ab6f8b739e3bf\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e709;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=76d93107\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: AnjNUKO3druLR4\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e709;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=76d93107\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: AnjNUKO3druLR4\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d3620398c612546f7f8264081a3a91bf0a0613b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31198;branch=z9hG4bK-524287-1---1943306ef513e7\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1070},{"id":11021910,"ip":"160.119.76.85","ts":"2026-07-11 07:49:34.000000","proto":"tcp","src_port":50584,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1075, \u0022payload_entropy\u0022: 5.5702794341840605, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002257b6be35dde4959dc9636bc56bd040e9\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61ca;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=3b23ef90\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 3HjuUnbqGypV2m\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61ca;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=3b23ef90\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 3HjuUnbqGypV2m\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7c9c78ce679c781f8243d3e36b3da2e949ef499\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:50584;branch=z9hG4bK-524287-1---cd71d80a98fc61\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1075},{"id":11017015,"ip":"160.119.76.85","ts":"2026-07-11 07:40:53.000000","proto":"tcp","src_port":1424,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1052, \u0022payload_entropy\u0022: 5.5550997352366736, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b7cd196dc70002e97016f34a3de634da\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b5;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=18385296\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Iv7ye32GMfysm8e\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b5;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=18385296\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Iv7ye32GMfysm8e\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221fab9b4a4ddc7a4dd80700b28cfb48941e962f5b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:1424;branch=z9hG4bK-524287-1---699ee2dfe966b7b\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1052},{"id":11013572,"ip":"160.119.76.85","ts":"2026-07-11 07:32:12.000000","proto":"tcp","src_port":44896,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1063, \u0022payload_entropy\u0022: 5.559540287524139, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224a88a91f55fcd504099859157d0b16ce\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b6438;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0a00eb7d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: LCOQY5USCQ4Kq9\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b6438;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0a00eb7d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: LCOQY5USCQ4Kq9\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c57a8859528ea18bd1590fc0611e37d403abb5b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:44896;branch=z9hG4bK-524287-1---fed3182ee87b64\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1063},{"id":10999102,"ip":"160.119.76.85","ts":"2026-07-11 06:53:08.000000","proto":"tcp","src_port":47856,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1057, \u0022payload_entropy\u0022: 5.554329759721549, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f30ccc22cf5455f2ca53a13466e9e33e\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f2157;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0de80007\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0VqRhN4benc3VR\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f2157;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=0de80007\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0VqRhN4benc3VR\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226cfa593d4805c7374241f3404f02c3f5718b353b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:47856;branch=z9hG4bK-524287-1---a89e29abcc5f21\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1057},{"id":10991814,"ip":"160.119.76.85","ts":"2026-07-11 06:31:25.000000","proto":"tcp","src_port":52754,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1063, \u0022payload_entropy\u0022: 5.554985204466413, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227d5d58f2ea818fba3dbb6e8848d70b70\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e86f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a02a75d0\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0qBBNRvkj5mrjN\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e86f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a02a75d0\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 0qBBNRvkj5mrjN\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a51e814f0ee513bcb9878d7ca14411c934270372\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52754;branch=z9hG4bK-524287-1---864dc00c44e1e8\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1063},{"id":10990922,"ip":"160.119.76.85","ts":"2026-07-11 06:18:24.000000","proto":"tcp","src_port":41404,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1058, \u0022payload_entropy\u0022: 5.563295707637684, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad8cd01ae3782b9515a00c03d32cdcf3\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db4386;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=7e52476e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: HoTysLUwo4q5D7\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db4386;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=7e52476e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: HoTysLUwo4q5D7\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7693927e7a79ae32f3a98445e1f0cdfb428926b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:41404;branch=z9hG4bK-524287-1---f7ac99c6b9db43\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1058},{"id":10986015,"ip":"160.119.76.85","ts":"2026-07-11 06:09:42.000000","proto":"tcp","src_port":57012,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1064, \u0022payload_entropy\u0022: 5.541691791531024, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dd151a15cfdd235e95cc254a2e09af47\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e051901;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=8b964cbe\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Xt8mXk7zKwOnr3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e051901;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=8b964cbe\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Xt8mXk7zKwOnr3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222eb7a8bc9a2323ae385c23b54a1fa769df1c614a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:57012;branch=z9hG4bK-524287-1---aa2d1ed89e0519\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1064},{"id":10978067,"ip":"160.119.76.85","ts":"2026-07-11 05:43:39.000000","proto":"tcp","src_port":5318,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1060, \u0022payload_entropy\u0022: 5.565348227395384, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227af68f108fbcb556aa94aa26d30d509d\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c7521;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=45425695\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 4If25URd2wjUh6N\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c7521;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=45425695\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 4If25URd2wjUh6N\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002281927b46b8317d918f84cdb42828b345f6dd1482\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5318;branch=z9hG4bK-524287-1---93345974341c752\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1060},{"id":10977763,"ip":"160.119.76.85","ts":"2026-07-11 05:39:19.000000","proto":"tcp","src_port":42098,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1074, \u0022payload_entropy\u0022: 5.56934098436477, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223c963351e5238b879532c442395e29d4\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25d3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=2ff49c3d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: x3AAJEdMXt2U35\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25d3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=2ff49c3d\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: x3AAJEdMXt2U35\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5865a2d998962b5b26561ae590371f787991953\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:42098;branch=z9hG4bK-524287-1---e0ee94aa2f6c25\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1074},{"id":10977191,"ip":"160.119.76.85","ts":"2026-07-11 05:30:38.000000","proto":"tcp","src_port":52590,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1069, \u0022payload_entropy\u0022: 5.577241536562821, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220027d5addffd834abc59ad366e4c4baf\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b956;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=f1e14410\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: CXD47iRZgnWZK1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b956;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=f1e14410\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: CXD47iRZgnWZK1\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d9d11ad458dd134cbca550ef7df1b142a4a448d6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:52590;branch=z9hG4bK-524287-1---834d4bbe5377b9\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1069},{"id":10976295,"ip":"160.119.76.85","ts":"2026-07-11 05:17:36.000000","proto":"tcp","src_port":63834,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1063, \u0022payload_entropy\u0022: 5.559157280760958, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ed361aaf21f31350417d3dbf390b0464\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf57;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a669ea6b\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: eGdxFkZetYAou0\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf57;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=a669ea6b\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: eGdxFkZetYAou0\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a2ae3494c6781207d788277be20f8d9c419d9602\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:63834;branch=z9hG4bK-524287-1---d01111d9314bbf\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1063},{"id":10975754,"ip":"160.119.76.85","ts":"2026-07-11 05:08:55.000000","proto":"tcp","src_port":31700,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1060, \u0022payload_entropy\u0022: 5.547768860767956, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002260c36b3d8d3f7f1e0c01bc78564b47ba\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12fd0;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=37607f5b\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: hWM1FaviD5Pzbp\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12fd0;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=37607f5b\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: hWM1FaviD5Pzbp\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229cdfdb9afca08524d7fabb5eabff8484db0526bd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:31700;branch=z9hG4bK-524287-1---96c85c2c5ec12f\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1060},{"id":10973849,"ip":"160.119.76.85","ts":"2026-07-11 05:00:14.000000","proto":"tcp","src_port":40418,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1061, \u0022payload_entropy\u0022: 5.552840447277039, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ee8cd2ce351f0e17b470876ff720260a\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d970;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c77ae47e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: RpSbpj0pnQmRuZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d970;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c77ae47e\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: RpSbpj0pnQmRuZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7373aba74e90d1fe210fd61a8c677cb7669bf77\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:40418;branch=z9hG4bK-524287-1---321f50b5f246d9\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1061},{"id":10970200,"ip":"160.119.76.85","ts":"2026-07-11 04:29:49.000000","proto":"tcp","src_port":18262,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1079, \u0022payload_entropy\u0022: 5.585877233904731, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002212055c5075df0799f28feffb234a0113\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff1618f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c7b8ea79\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 77dYK3AumvkWcZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff1618f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c7b8ea79\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: 77dYK3AumvkWcZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225f5e89dad5a4ba1666b935e466aadc44194de737\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:18262;branch=z9hG4bK-524287-1---0c9b09e74ff161\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1079},{"id":10969410,"ip":"160.119.76.85","ts":"2026-07-11 04:16:48.000000","proto":"tcp","src_port":5852,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1073, \u0022payload_entropy\u0022: 5.547734828942023, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002297213cfe8dbd847f7001d3c4213ef825\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e4;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=38130b3a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: BPN3VPrjIE1lPm6\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e4;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=38130b3a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: BPN3VPrjIE1lPm6\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220f5a9cab91240514e3e452d20dd8029210aca8cb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5852;branch=z9hG4bK-524287-1---aadfd6aa359a14e\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1073},{"id":10969215,"ip":"160.119.76.85","ts":"2026-07-11 04:12:27.000000","proto":"tcp","src_port":5416,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1050, \u0022payload_entropy\u0022: 5.565705183611646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cae12af80d2ef3799d6451b8fcb411a7\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=6087eb3c\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: qrd3YPVqUxeBPj5\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=6087eb3c\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: qrd3YPVqUxeBPj5\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c4116e41164ed56712ea5465c954c4bea1c73c04\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5416;branch=z9hG4bK-524287-1---79c96b5d9004d6e\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1050},{"id":10967971,"ip":"160.119.76.85","ts":"2026-07-11 03:50:43.000000","proto":"tcp","src_port":5570,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1075, \u0022payload_entropy\u0022: 5.565697940826474, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226180f8c5dda852b4c18f3814c410083a\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2cb;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fed3dbf1\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: YquWCuCVsIR2o4h\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2cb;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=fed3dbf1\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: YquWCuCVsIR2o4h\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d3a48c4c57c4fa68b0a40e21e42422ca69b1358\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5570;branch=z9hG4bK-524287-1---bf743c8fbe56b2c\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1075},{"id":10967512,"ip":"160.119.76.85","ts":"2026-07-11 03:42:02.000000","proto":"tcp","src_port":64020,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1065, \u0022payload_entropy\u0022: 5.542634464091128, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221fe6f87a6a06fd98c577cf03ea052894\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e96;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=da08ca7a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: rjprovCred2lUD\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e96;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=da08ca7a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: rjprovCred2lUD\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ed23898cbed1bf4ce4a9859ef1f65aa9cf76ccb6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:64020;branch=z9hG4bK-524287-1---8b2a61c55ff78e\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1065},{"id":10960033,"ip":"160.119.76.85","ts":"2026-07-11 03:15:58.000000","proto":"tcp","src_port":39102,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1061, \u0022payload_entropy\u0022: 5.568365932764624, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4895cc208d4e6f587258ff9acb7c449\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152d3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c6eff6ad\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: YxvbBRLd0AWwiG\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152d3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=c6eff6ad\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: YxvbBRLd0AWwiG\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f538b2f043a65e19a9ee2a7b1cdf622fd7e776fd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:39102;branch=z9hG4bK-524287-1---26bfe320045152\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1061},{"id":10959310,"ip":"160.119.76.85","ts":"2026-07-11 03:02:56.000000","proto":"tcp","src_port":35648,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1066, \u0022payload_entropy\u0022: 5.558110190101007, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022792d6cb86bd3766a18d56b020302133e\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd503798e;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=e9835485\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Jf0SR02M8fkeds\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd503798e;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=e9835485\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Jf0SR02M8fkeds\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022feec1389f8b9c151224bd79de1e9232d702846fd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:35648;branch=z9hG4bK-524287-1---e6b8f12dd50379\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1066},{"id":10959071,"ip":"160.119.76.85","ts":"2026-07-11 02:58:36.000000","proto":"tcp","src_port":38270,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1061, \u0022payload_entropy\u0022: 5.562035324129174, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b0f76b9719802b06565d844976067151\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2b9;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=72d88224\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: FGaR9Jk4MHYdzF\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2b9;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=72d88224\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: FGaR9Jk4MHYdzF\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226afc322ab0c0abbcec55cab5de448b410f9f212b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38270;branch=z9hG4bK-524287-1---b5b8b8901951a2\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1061},{"id":10957182,"ip":"160.119.76.85","ts":"2026-07-11 02:41:13.000000","proto":"tcp","src_port":62160,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1064, \u0022payload_entropy\u0022: 5.559053965215005, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227494fc1980f2c40b9d1a4d7322315c32\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca4227331;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=4ce0b363\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: j9Q7j822fM1w2P\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca4227331;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=4ce0b363\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: j9Q7j822fM1w2P\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e4023118046e8990e664192e979ba34df5aeff3b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:62160;branch=z9hG4bK-524287-1---5a0f1e6ca42273\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1064},{"id":10952841,"ip":"160.119.76.85","ts":"2026-07-11 02:02:08.000000","proto":"tcp","src_port":19980,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1055, \u0022payload_entropy\u0022: 5.5557299619198455, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e2628b4efb8b24f5e48178f7651eb392\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c29188;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=e0079d57\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ZjuR90hbdpVgjs\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c29188;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=e0079d57\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: ZjuR90hbdpVgjs\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022149ca72eb29b3eef671cdb0c3b4358defbf88b49\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:19980;branch=z9hG4bK-524287-1---0a802bcba6c291\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1055},{"id":10948029,"ip":"160.119.76.85","ts":"2026-07-11 01:36:05.000000","proto":"tcp","src_port":5636,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1052, \u0022payload_entropy\u0022: 5.559812621231797, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d5053190b1d52e799bef360c3956f6c0\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6d;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=30803e30\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: EQN7PKzmrH27cs5\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6d;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=30803e30\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: EQN7PKzmrH27cs5\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ea0ef8e96fb2496d0e8a49e976be096d3b160cb2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:5636;branch=z9hG4bK-524287-1---bbc1f3d23b3ceb6\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1052},{"id":10946474,"ip":"160.119.76.85","ts":"2026-07-11 01:10:00.000000","proto":"tcp","src_port":58018,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1077, \u0022payload_entropy\u0022: 5.580702050872414, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dfdb1d078d143fabb67223f7181e8334\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685fd7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=7f9e5b4c\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: WZu9lkgCvozGIl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685fd7;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=7f9e5b4c\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: WZu9lkgCvozGIl\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002212c1f22d44c965ef76b747d4a8bfc27e32f782e4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:58018;branch=z9hG4bK-524287-1---d2b327b2e2685f\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1077},{"id":10944858,"ip":"160.119.76.85","ts":"2026-07-11 00:39:35.000000","proto":"tcp","src_port":22792,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1062, \u0022payload_entropy\u0022: 5.5615072842573925, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223bc4b0ed55e7644195a4914eced3bd71\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf00586f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=87da1538\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Vv5N9L97U1KuhZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf00586f;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=87da1538\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: Vv5N9L97U1KuhZ\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002293a86eca6cb0dd0768c1058cdb6dd794011de798\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:22792;branch=z9hG4bK-524287-1---688eecebdf0058\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1062},{"id":10940523,"ip":"160.119.76.85","ts":"2026-07-11 00:09:10.000000","proto":"tcp","src_port":3002,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1060, \u0022payload_entropy\u0022: 5.553333349375667, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ce7d1d6812a5447b4e278c54f61eb6fd\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68bf;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=ece53a4a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: u2OqAXDY2L6BNEi\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68bf;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=ece53a4a\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: u2OqAXDY2L6BNEi\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd59443f91b5894ca0940c4c9d2a8b07707fc1f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:3002;branch=z9hG4bK-524287-1---2118765d70ce68b\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1060},{"id":10940018,"ip":"160.119.76.85","ts":"2026-07-11 00:04:49.000000","proto":"tcp","src_port":38566,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1053, \u0022payload_entropy\u0022: 5.561988273214054, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226211f2a4bc60838a655ccf7a81656971\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41ccb;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d5a1e8c5\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: c8NhVcLatVDWvz\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41ccb;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=d5a1e8c5\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: c8NhVcLatVDWvz\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fc5a0ca1181c7c6e01a1c10366546e32739e72c1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:38566;branch=z9hG4bK-524287-1---d7f99c68a6f41c\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1053},{"id":10939770,"ip":"160.119.76.85","ts":"2026-07-11 00:00:28.000000","proto":"tcp","src_port":28604,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 1068, \u0022payload_entropy\u0022: 5.544477329055451, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 77, \u0022precision_signals\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022matched_pattern_names\u0022: [\u0022SIP protocol\u0022, \u0022SIP INVITE scan\u0022], \u0022pattern_ids\u0022: [\u0022pat-0384\u0022, \u0022pat-0769\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 69.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227cd1d3e2fac74e0e71c373e6094d538c\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4c3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=daae29ff\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: cSsDWael7VeZi3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4c3;rport\\r\\nMax-Forwards: 70\\r\\nFrom: \u003Csip:16611485108@62.3.50.33\u003E;tag=daae29ff\\r\\nTo: \u003Csip:@62.3.50.33:5060\u003E\\r\\nCall-ID: cSsDWael7VeZi3\u0022, \u0022payload_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c0182166b0796b9c7e7f2a7a9691e9426037290\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 69%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0769\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0769\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022INVITE sip:@62.3.50.33:5060;transport=TCP SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 160.119.76.85:28604;branch=z9hG4bK-524287-1---666631413cc3c4\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 69 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":1068}],"total_events":73}