{"ip":"165.154.11.202","exported_at":"2026-06-21T00:01:02+00:00","period_days":30,"metrics":{"events7d":20,"distinct_ports":5,"distinct_classifications":7,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":6,"max_risk_score":98,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.58,"risk_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":0,"protocol":0,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":24,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 44\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":0,"protocol":0,"novelty":0,"risk_score":44,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":58,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Fp Port Probe Noise","Single Port"],"tags_summary":["INT-FP-port-probe-noise","INT-single-port"],"attack_vector":"Sonde port \u00b7 port 7872 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"t3 12.1.2\nAS:2048\nHL:19","port":7872},"protocol_summary_fr":"Payload t3 12.1.2\nAS:2048\nHL:19","evidence_snippet":"t3 12.1.2\nAS:2048\nHL:19","target_port_label":"7872","emulator_service":null,"confidence_reason":"Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique","classification_reason":"Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","classification_reason_label_fr":"Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":"t3 12.1.2\nAS:2048\nHL:19"},"events":[{"id":9787620,"ip":"165.154.11.202","ts":"2026-06-20 21:02:43.000000","proto":"tcp","src_port":33950,"dst_port":7872,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 7872, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220cfe37a448db24c89c30a8845666b73472b86769\u0022, \u0022event_fingerprint\u0022: \u0022613c1b7cad446254ead3702ed7d505a0e4e2a2d6\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7872, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bcd08824820173ae7ccde9fe710ddf8ced519427\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 7872}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 7872 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227872\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 7872, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 7872}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 7872 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u00227872\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227872\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:7872\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":9787619,"ip":"165.154.11.202","ts":"2026-06-20 21:02:42.000000","proto":"tcp","src_port":33846,"dst_port":7872,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.7286671983750885, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 7872, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b0e83c8ec81b92326130572d2e0cd500ad6cb4a5\u0022, \u0022event_fingerprint\u0022: \u00225663286e82f9258f43a1736f2b49609b017fc25c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u00224874ba85621cbbf89943a894998d4bdf\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 7872, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\\u0001\ufffd\ufffd\\u0001\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\\u0005\ufffd\\u0014\ufffd\u01d4n\ufffd\\u000b\ufffd\ufffdnD CaD{\\u0015\\u0017\ufffdz\\fW\ufffd\\u0007\ufffd\ufffd\\u0003\\u0001\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\\u0001\ufffd\ufffd\\u0001\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\\u0005\ufffd\\u0014\ufffd\u01d4n\ufffd\\u000b\ufffd\ufffdnD CaD{\\u0015\\u0017\ufffdz\\fW\ufffd\\u0007\ufffd\ufffd\\u0003\\u0001\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd]n\ufffd\ufffdw\ufffdd\ufffd\ufffd-GM-\ufffd\u06b9s\\u001e\ufffdQ\ufffd\ufffd\\b\ufffd\ufffd+d\ufffdP\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\\u0001\ufffd\ufffd\\u0001\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\\u0005\ufffd\\u0014\ufffd\u01d4n\ufffd\\u000b\ufffd\ufffdnD CaD{\\u0015\\u0017\ufffdz\\fW\ufffd\\u0007\ufffd\ufffd\\u0003\\u0001\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249eb2c3d157172a50d764fb2e711ee5dd68fb34a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\\u0001\ufffd\ufffd\\u0001\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\\u0005\ufffd\\u0014\ufffd\u01d4n\ufffd\\u000b\ufffd\ufffdnD CaD{\\u0015\\u0017\ufffdz\\fW\ufffd\\u0007\ufffd\ufffd\\u0003\\u0001\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 7872, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u01d4n\ufffd\ufffd\ufffdnD CaD{\ufffdzW\ufffd\ufffd\ufffd\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:7872 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227872 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 7872, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\\u0001\ufffd\ufffd\\u0001\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\\u0005\ufffd\\u0014\ufffd\u01d4n\ufffd\\u000b\ufffd\ufffdnD CaD{\\u0015\\u0017\ufffdz\\fW\ufffd\\u0007\ufffd\ufffd\\u0003\\u0001\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 7872, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:7872 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd(\ufffd,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u01d4n\ufffd\ufffd\ufffdnD CaD{\ufffdzW\ufffd\ufffd\ufffd\ufffdv\ufffdz\ufffd[\ufffd\ufffd\ufffdT\ufffd^\ufffdN~\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00227872 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227872\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:7872\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":9787616,"ip":"165.154.11.202","ts":"2026-06-20 21:02:41.000000","proto":"tcp","src_port":33542,"dst_port":7872,"service":"http","classification":"port_7872_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 7872, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a3ace0948c974e7562d915176884464b156d30ee\u0022, \u0022event_fingerprint\u0022: \u00229f250e8d4215c10afb91f3db716b9935389b1675\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7872_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7872, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7872_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022458d68020a58edd2e09f6de3dccf48530144e34d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 7872, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 7872 tcp \u00b7 via HTTP:7872 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227872 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_7872_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_7872_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7872, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 7872, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 7872 tcp \u00b7 via HTTP:7872 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227872 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227872\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:7872\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":9787613,"ip":"165.154.11.202","ts":"2026-06-20 21:02:36.000000","proto":"tcp","src_port":32102,"dst_port":7872,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 7872, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220cfe37a448db24c89c30a8845666b73472b86769\u0022, \u0022event_fingerprint\u0022: \u0022613c1b7cad446254ead3702ed7d505a0e4e2a2d6\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7872, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b4fbd77aa6dfb1625e1149e8e4752487606f748\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 7872}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 7872 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227872\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 7872, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 7872}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 7872 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00227872\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227872\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9722973,"ip":"165.154.11.202","ts":"2026-06-20 06:06:55.000000","proto":"tcp","src_port":36948,"dst_port":10664,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.674970910621477, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 10664, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223cd23eecca7ef1c266f7fe2f1e100a2393d3d6e3\u0022, \u0022event_fingerprint\u0022: \u002204bd1fd0cb02c9198c329b1579c770b899a04262\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u002276ea4ae5a80ba3221ccc01396fdadf78\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 10664, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdgj\ufffd5\\u0006\\u001f\\u000b\\\\O\\u001e\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\\u0013\ufffd\\u0005\ufffd\\u0001\ufffdD\ufffd\\u0013 \\u001da\\u0001]\ufffd\ufffd\ufffd\\u0001\ufffd\\u0011I\\u000e]\\u00101t~y\ufffd\ufffd\ufffdv\ufffd=\\u001e\ufffd\ufffdy\ufffd\ufffdC\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdgj\ufffd5\\u0006\\u001f\\u000b\\\\O\\u001e\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\\u0013\ufffd\\u0005\ufffd\\u0001\ufffdD\ufffd\\u0013 \\u001da\\u0001]\ufffd\ufffd\ufffd\\u0001\ufffd\\u0011I\\u000e]\\u00101t~y\ufffd\ufffd\ufffdv\ufffd=\\u001e\ufffd\ufffdy\ufffd\ufffdC\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdg\ufffdm\u0284tj\ufffdUj)\\t\ufffd\\u00008\\u000e\\bv\ufffd\ufffd\ufffd+\ufffd\ufffd\u039f\ufffd\ufffd}\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdgj\ufffd5\\u0006\\u001f\\u000b\\\\O\\u001e\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\\u0013\ufffd\\u0005\ufffd\\u0001\ufffdD\ufffd\\u0013 \\u001da\\u0001]\ufffd\ufffd\ufffd\\u0001\ufffd\\u0011I\\u000e]\\u00101t~y\ufffd\ufffd\ufffdv\ufffd=\\u001e\ufffd\ufffdy\ufffd\ufffdC\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002214ee5c33bb3c5b2c6e36a66d0c216d149c5d6a48\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdgj\ufffd5\\u0006\\u001f\\u000b\\\\O\\u001e\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\\u0013\ufffd\\u0005\ufffd\\u0001\ufffdD\ufffd\\u0013 \\u001da\\u0001]\ufffd\ufffd\ufffd\\u0001\ufffd\\u0011I\\u000e]\\u00101t~y\ufffd\ufffd\ufffdv\ufffd=\\u001e\ufffd\ufffdy\ufffd\ufffdC\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 10664, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdgj\ufffd5\\\\O\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\ufffd\ufffd\ufffdD\ufffd a]\ufffd\ufffd\ufffd\ufffdI]1t~y\ufffd\ufffd\ufffdv\ufffd=\ufffd\ufffdy\ufffd\ufffdC\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10664 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210664 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 10664, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdgj\ufffd5\\u0006\\u001f\\u000b\\\\O\\u001e\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\\u0013\ufffd\\u0005\ufffd\\u0001\ufffdD\ufffd\\u0013 \\u001da\\u0001]\ufffd\ufffd\ufffd\\u0001\ufffd\\u0011I\\u000e]\\u00101t~y\ufffd\ufffd\ufffdv\ufffd=\\u001e\ufffd\ufffdy\ufffd\ufffdC\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 10664, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10664 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdgj\ufffd5\\\\O\ufffd\ufffdl\ufffd\u01ba\ufffdD\ufffd:\ufffdG\ufffd\ufffd\ufffdD\ufffd a]\ufffd\ufffd\ufffd\ufffdI]1t~y\ufffd\ufffd\ufffdv\ufffd=\ufffd\ufffdy\ufffd\ufffdC\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u002210664 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210664\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10664\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":9722977,"ip":"165.154.11.202","ts":"2026-06-20 06:06:55.000000","proto":"tcp","src_port":37064,"dst_port":10664,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 10664, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b6ba5881cb364e485fd455b8a39120705e8823a4\u0022, \u0022event_fingerprint\u0022: \u0022ba2bd1a5ad5de78764bff5cf4a2e5d6abdaf5846\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10664, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229058f687b0c32d22b9367a63c9d8c050ccefc9ad\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 10664}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10664 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210664\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 10664, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 10664}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10664 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u002210664\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210664\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10664\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":9722969,"ip":"165.154.11.202","ts":"2026-06-20 06:06:54.000000","proto":"tcp","src_port":36756,"dst_port":10664,"service":"http","classification":"port_10664_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 10664, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002279b2bc51b7c8ffe46507275c7e434f59f743c456\u0022, \u0022event_fingerprint\u0022: \u0022e73386186152d2245178d9dcb88835efe44906af\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10664_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10664, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10664_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022104c9e504c071b2f8aa31fe2b20ee0056cee72cb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 10664, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 10664 tcp \u00b7 via HTTP:10664 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210664 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_10664_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_10664_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10664, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 10664, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 10664 tcp \u00b7 via HTTP:10664 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002210664 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210664\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10664\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":9722968,"ip":"165.154.11.202","ts":"2026-06-20 06:06:48.000000","proto":"tcp","src_port":35542,"dst_port":10664,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 10664, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b6ba5881cb364e485fd455b8a39120705e8823a4\u0022, \u0022event_fingerprint\u0022: \u0022ba2bd1a5ad5de78764bff5cf4a2e5d6abdaf5846\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10664, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221248c036d8b2666a6699c6e0e8ac6e7d6b87cd65\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 10664}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10664 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210664\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 10664, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 10664}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10664 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002210664\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210664\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9418473,"ip":"165.154.11.202","ts":"2026-06-16 19:52:45.000000","proto":"tcp","src_port":44080,"dst_port":592,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 592, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022806399b42ed821265ee46b463092647b0ee5e86a\u0022, \u0022event_fingerprint\u0022: \u0022060be8562e17f3564d1bbee41dc5c8b89b2f2d77\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 592, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ca387bada2f317a8ca2742b905ff200007a421e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 592}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 592 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022592\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 592, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 592}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 592 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u0022592\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022592\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:592\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":9418472,"ip":"165.154.11.202","ts":"2026-06-16 19:52:44.000000","proto":"tcp","src_port":43996,"dst_port":592,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.7669419498735355, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 592, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227b760087f9b910a0e17ba971c51101ab37ae585a\u0022, \u0022event_fingerprint\u0022: \u0022499fd51f4778c5086769c23d6bf1936735bb0c3f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u002232343ff9a6746ea7fced55fe4256e17b\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 592, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffdb\ufffd\ufffd\ufffd-\\u000f\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd\\u0018!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\\u001a\ufffd\\u000f\ufffd\ufffd \ufffdu\\u0014\ufffd\ufffd,4\ufffd\\u0000Q\ufffd\u04ba@f\ufffd\\u0002\ufffd\\u000f\ufffd\\\\\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffdb\ufffd\ufffd\ufffd-\\u000f\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd\\u0018!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\\u001a\ufffd\\u000f\ufffd\ufffd \ufffdu\\u0014\ufffd\ufffd,4\ufffd\\u0000Q\ufffd\u04ba@f\ufffd\\u0002\ufffd\\u000f\ufffd\\\\\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 2\\u0006u\ufffd\\t\ufffd\ufffdH\ufffd\ufffd\/\ufffdn}\ufffd]jx\ufffdv\u01cd\\u0006\\u0014\\u0011\ufffd\\u0018\ufffdg\ufffd`\\u001b\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffdb\ufffd\ufffd\ufffd-\\u000f\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd\\u0018!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\\u001a\ufffd\\u000f\ufffd\ufffd \ufffdu\\u0014\ufffd\ufffd,4\ufffd\\u0000Q\ufffd\u04ba@f\ufffd\\u0002\ufffd\\u000f\ufffd\\\\\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229e896d574c8b12802e2e1be23d2a47fe801a12d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffdb\ufffd\ufffd\ufffd-\\u000f\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd\\u0018!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\\u001a\ufffd\\u000f\ufffd\ufffd \ufffdu\\u0014\ufffd\ufffd,4\ufffd\\u0000Q\ufffd\u04ba@f\ufffd\\u0002\ufffd\\u000f\ufffd\\\\\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 592, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffdb\ufffd\ufffd\ufffd-\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\ufffd\ufffd\ufffd \ufffdu\ufffd\ufffd,4\ufffdQ\ufffd\u04ba@f\ufffd\ufffd\ufffd\\\\\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:592 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022592 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 592, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffdb\ufffd\ufffd\ufffd-\\u000f\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd\\u0018!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\\u001a\ufffd\\u000f\ufffd\ufffd \ufffdu\\u0014\ufffd\ufffd,4\ufffd\\u0000Q\ufffd\u04ba@f\ufffd\\u0002\ufffd\\u000f\ufffd\\\\\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 592, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:592 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffdb\ufffd\ufffd\ufffd-\ufffdH\\ni\ufffd\ufffdE(\ufffdA\ufffd1\\r\ufffd!r\ufffd\ufffd\ufffd\ufffd [\ufffd\ufffdm*\ufffd\ufffd\ufffd \ufffdu\ufffd\ufffd,4\ufffdQ\ufffd\u04ba@f\ufffd\ufffd\ufffd\\\\\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u0022592 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022592\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:592\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":9418471,"ip":"165.154.11.202","ts":"2026-06-16 19:52:43.000000","proto":"tcp","src_port":43792,"dst_port":592,"service":"http","classification":"port_592_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 592, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222b9c87fecb5271fa13da2bf7445561807f88dd26\u0022, \u0022event_fingerprint\u0022: \u00223bcb17f23fd4a716e1ab9610021b5704ffecf384\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_592_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 592, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_592_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c61cd65f094ca3b997cf0c4178ecb3e86600b3bd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 592, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 592 tcp \u00b7 via HTTP:592 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022592 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_592_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_592_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 592, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 592, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 592 tcp \u00b7 via HTTP:592 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u0022592 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022592\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:592\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":9418469,"ip":"165.154.11.202","ts":"2026-06-16 19:52:38.000000","proto":"tcp","src_port":41976,"dst_port":592,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 592, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022806399b42ed821265ee46b463092647b0ee5e86a\u0022, \u0022event_fingerprint\u0022: \u0022060be8562e17f3564d1bbee41dc5c8b89b2f2d77\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 592, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8d826ce52d37af3ebd30681a1bb24b6c36ac063\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 592}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 592 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022592\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 592, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 592}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 592 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022592\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022592\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9120567,"ip":"165.154.11.202","ts":"2026-06-15 08:34:20.000000","proto":"tcp","src_port":25804,"dst_port":4804,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.795081466650001, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 4804, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d48c0a8a82cc0c80df69e4a1167080537460c271\u0022, \u0022event_fingerprint\u0022: \u00223205a347f4174a5eb441bbf4d52493a7e912f29d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u002231017c9e3b4b8030ac76c13a31a7cbe4\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 4804, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\u0004\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd\\u0017 XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\\u000f]\ufffd6\ufffd\ufffd\u075a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\u0004\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd\\u0017 XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\\u000f]\ufffd6\ufffd\ufffd\u075a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdA\ufffdA\ufffdw]\ufffd\ufffd{\ufffd\ufffd+O_\ufffd\ufffd!cE\ufffd\ufffd\ufffd6u,\ufffdqH\ufffd\\f\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\u0004\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd\\u0017 XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\\u000f]\ufffd6\ufffd\ufffd\u075a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a72fa852d70f7b8685d50368aabfb4bf993b1252\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\u0004\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd\\u0017 XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\\u000f]\ufffd6\ufffd\ufffd\u075a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 4804, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd]\ufffd6\ufffd\ufffd\u075a\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:4804 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224804 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 4804, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\u0004\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd\\u0017 XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\\u000f]\ufffd6\ufffd\ufffd\u075a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 4804, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:4804 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdj\ufffd[\\\u0022\u003C\\t\ufffd{\ufffdQ\ufffd\\\\2\u0180J\ufffd\ufffdQ\ufffd\ufffd\\r*\ufffd\ufffdS\ufffd\ufffd XM\u0245\ufffd6bdd\udbee\udf02RR\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd]\ufffd6\ufffd\ufffd\u075a\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00224804 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224804\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:4804\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":9120568,"ip":"165.154.11.202","ts":"2026-06-15 08:34:20.000000","proto":"tcp","src_port":25974,"dst_port":4804,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 4804, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002225106ca21ca7c318b55af79c1443e3d76e3653d8\u0022, \u0022event_fingerprint\u0022: \u00221b5ae449a04b1b95e5b61b8b0b5bcf4a21b163da\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4804, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c89a036e69349cd03e750a3c99a445d6c0207cd5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 4804}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 4804 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224804\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4804, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 4804}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 4804 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u00224804\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224804\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:4804\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":9120564,"ip":"165.154.11.202","ts":"2026-06-15 08:34:19.000000","proto":"tcp","src_port":25616,"dst_port":4804,"service":"http","classification":"port_4804_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 4804, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002296701cc88ab1ea6aecd43a57667a29fa4d177869\u0022, \u0022event_fingerprint\u0022: \u002285a39a44eadd7a74ce5934ec00091c27e3800378\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_4804_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4804, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_4804_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c13e1c33014f104ac78b6f04c46593e99cab569f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 4804, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 4804 tcp \u00b7 via HTTP:4804 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224804 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_4804_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_4804_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4804, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 4804, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 4804 tcp \u00b7 via HTTP:4804 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00224804 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224804\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:4804\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":9120562,"ip":"165.154.11.202","ts":"2026-06-15 08:34:13.000000","proto":"tcp","src_port":24406,"dst_port":4804,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 4804, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002225106ca21ca7c318b55af79c1443e3d76e3653d8\u0022, \u0022event_fingerprint\u0022: \u00221b5ae449a04b1b95e5b61b8b0b5bcf4a21b163da\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4804, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022369f4cfc9e568ed9ba50970bc3e31adf996d034c\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 4804}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 4804 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224804\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4804, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 4804}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 4804 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00224804\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224804\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8961004,"ip":"165.154.11.202","ts":"2026-06-14 17:03:45.000000","proto":"tcp","src_port":13176,"dst_port":525,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 525, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222f129e4d18ec9d57537386aa97054d4fa090c882\u0022, \u0022event_fingerprint\u0022: \u0022e89f8663e5725084faa92c29fae5af60419e5b97\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 525, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221a57575376a1bf9ce27912079dffe8c0259626cf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 525}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 525 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022525\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 525, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 525}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 525 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u0022525\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022525\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:525\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8961003,"ip":"165.154.11.202","ts":"2026-06-14 17:03:44.000000","proto":"tcp","src_port":13070,"dst_port":525,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.763031669638451, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 525, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022157ff53b6a4903d6b2adebd5b2027fd78bee71ec\u0022, \u0022event_fingerprint\u0022: \u0022dea609d98e504c9cec6b5ef67656f6b65df4a4e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u0022fcba670f790e0e865c12b1bb1966bd8b\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 525, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\ufffdE\ufffdh\\u001f\ufffdF\ufffd\ufffd\\u0001\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\\u0012\\u0001\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\\u0019\ufffd\\u0003\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\ufffdE\ufffdh\\u001f\ufffdF\ufffd\ufffd\\u0001\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\\u0012\\u0001\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\\u0019\ufffd\\u0003\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\r\\u0014\\u00006C^\ufffdnb\ufffd\ufffd\ufffd4VH0(\ufffd:d8\\u000f\ufffd\ufffdM\u00270\ufffd\ufffd^\ufffdj\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\ufffdE\ufffdh\\u001f\ufffdF\ufffd\ufffd\\u0001\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\\u0012\\u0001\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\\u0019\ufffd\\u0003\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002200bdd61d9f32f04624358c952aaae8574b6571c0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\ufffdE\ufffdh\\u001f\ufffdF\ufffd\ufffd\\u0001\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\\u0012\\u0001\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\\u0019\ufffd\\u0003\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 525, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffdE\ufffdh\ufffdF\ufffd\ufffd\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\ufffd\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:525 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022525 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 525, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\ufffdE\ufffdh\\u001f\ufffdF\ufffd\ufffd\\u0001\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\\u0012\\u0001\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\\u0019\ufffd\\u0003\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 525, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:525 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffdE\ufffdh\ufffdF\ufffd\ufffd\u0027J\ufffd\ufffd\ufffd\ufffd\ufffd{J\ufffdn\ufffd\ufffdY\ufffd5 \ufffd9\u008a8\ufffd!\ufffd\ufffd\u0133\ufffdXe\ufffdF\ufffd\ufffdKn\ufffd+\ufffd\u070f\u03c6`?\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u0022525 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022525\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:525\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":8961001,"ip":"165.154.11.202","ts":"2026-06-14 17:03:43.000000","proto":"tcp","src_port":12848,"dst_port":525,"service":"http","classification":"port_525_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 525, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022e05a786c327b4a5f64438de57e22afa14098cd02\u0022, \u0022event_fingerprint\u0022: \u0022b93d8aad72a7721cbc0a9adf9317e48cd7658214\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_525_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 525, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_525_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a63b58cd90d0a5a83768553b63512ec69740bda\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 525, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 525 tcp \u00b7 via HTTP:525 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022525 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_525_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_525_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 525, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 525, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 525 tcp \u00b7 via HTTP:525 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u0022525 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022525\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:525\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8960998,"ip":"165.154.11.202","ts":"2026-06-14 17:03:38.000000","proto":"tcp","src_port":11340,"dst_port":525,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 525, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222f129e4d18ec9d57537386aa97054d4fa090c882\u0022, \u0022event_fingerprint\u0022: \u0022e89f8663e5725084faa92c29fae5af60419e5b97\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 525, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc12bd85ceaaa23bdf8901ef852bdb8020592b50\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 525}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 525 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022525\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 525, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 525}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 525 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022525\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022525\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8824368,"ip":"165.154.11.202","ts":"2026-06-13 14:57:44.000000","proto":"tcp","src_port":35940,"dst_port":223,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 223, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211d1ecb2335868f254de673f13ec2f728e4df73a\u0022, \u0022event_fingerprint\u0022: \u00221403173596f41f7528b8d3f0f1e83a8d2207ea7d\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 223, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7a3acd2b4690a1a475835033b669d0a006f82b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 223}, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 223 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022223\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 223, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022port\u0022: 223}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 223 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022target_port_label\u0022: \u0022223\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022223\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:223\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8824367,"ip":"165.154.11.202","ts":"2026-06-13 14:57:43.000000","proto":"tcp","src_port":35852,"dst_port":223,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.777904810250853, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 223, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223ef7d5b30562c02b48da743b67a150680300503f\u0022, \u0022event_fingerprint\u0022: \u00223c720a7ea0a6913b0a9a5b314ecd1f96d93e0295\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u00224bd93a06753f98e1cb726e4d83d384d5\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 223, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u003E\ufffd\ufffd\\u001dN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)\\u0019kq\ufffd\\u0003F\\u0015\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\\u0005\ufffdL|\ufffdV}XI\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u003E\ufffd\ufffd\\u001dN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)\\u0019kq\ufffd\\u0003F\\u0015\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\\u0005\ufffdL|\ufffdV}XI\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\\\k\ufffd\ufffd\ufffdw5\ufffd\u865b\ufffd_\\u001a\\u0012M\ufffd\ufffd^\ufffd\\u0013`\ufffd\ufffd\\u0017\\\\\ufffdn\ufffd\\\u0022\ufffd\\t\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u003E\ufffd\ufffd\\u001dN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)\\u0019kq\ufffd\\u0003F\\u0015\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\\u0005\ufffdL|\ufffdV}XI\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022944865b88a90bad585bcaf130ef88ab8b65caa0e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u003E\ufffd\ufffd\\u001dN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)\\u0019kq\ufffd\\u0003F\\u0015\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\\u0005\ufffdL|\ufffdV}XI\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 223, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u003E\ufffd\ufffdN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)kq\ufffdF\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\ufffdL|\ufffdV}XI\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:223 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022223 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 223, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u003E\ufffd\ufffd\\u001dN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)\\u0019kq\ufffd\\u0003F\\u0015\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\\u0005\ufffdL|\ufffdV}XI\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022tls_ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022port\u0022: 223, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:223 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u003E\ufffd\ufffdN2\ufffd4\ufffdH\ufffd\ufffd\ufffd\ufffdIf)kq\ufffdF\ufffd\ufffdOD\ufffd\u0521 `\ufffd]\ufffdq\ufffd\ufffd\ufffd\\\u0022\ufffd\\\\\ufffdS\ufffd,\ufffdv\ufffdt\ufffd\ufffd\ufffd\ufffdL|\ufffdV}XI\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u0022223 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022223\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:223\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":8824365,"ip":"165.154.11.202","ts":"2026-06-13 14:57:42.000000","proto":"tcp","src_port":35678,"dst_port":223,"service":"http","classification":"port_223_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 223, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002262e95ae40f644bfc6c354965a8c47859d742d71b\u0022, \u0022event_fingerprint\u0022: \u00223714352c98928a2acadce55c1d92957025ef4a71\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_223_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 223, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_223_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206632491ba5d59bc093db4394cdb29c9244a5f52\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 223, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 223 tcp \u00b7 via HTTP:223 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022223 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_223_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_223_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 223, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022port\u0022: 223, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 223 tcp \u00b7 via HTTP:223 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u0022223 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022223\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:223\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8824364,"ip":"165.154.11.202","ts":"2026-06-13 14:57:36.000000","proto":"tcp","src_port":34460,"dst_port":223,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 223, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211d1ecb2335868f254de673f13ec2f728e4df73a\u0022, \u0022event_fingerprint\u0022: \u00221403173596f41f7528b8d3f0f1e83a8d2207ea7d\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 223, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022575f6453c75bd31961d80dbc529d4346c947e0f4\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 223}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 223 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022223\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 223, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 223}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 223 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022223\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022223\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8415776,"ip":"165.154.11.202","ts":"2026-06-06 22:49:28.000000","proto":"tcp","src_port":50312,"dst_port":2203,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.754543387589523, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 2203, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6e732eea589d4a861202fafa38efe157bb4a277\u0022, \u0022event_fingerprint\u0022: \u0022655383e5e7fd2ffd4fa617f09a96b0167a950781\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u0022065e076e4aaf7e694a06a88654792f15\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2203, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\\\ufffd\ufffd|\ufffdp\ufffd$\\u000f\ufffdK\u003CF\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\\u000fwf\u0026d\u014e\/\ufffd \ufffd\ufffd\ufffd\ufffd-\ufffdN \ufffd\ufffdr\ufffd5\ufffdw\u71c7\ufffd\\n\\u0014\ufffd\ufffd\ufffd\ufffd#)\ufffd_r\ufffd3\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\\\ufffd\ufffd|\ufffdp\ufffd$\\u000f\ufffdK\u003CF\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\\u000fwf\u0026d\u014e\/\ufffd \ufffd\ufffd\ufffd\ufffd-\ufffdN \ufffd\ufffdr\ufffd5\ufffdw\u71c7\ufffd\\n\\u0014\ufffd\ufffd\ufffd\ufffd#)\ufffd_r\ufffd3\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 8W\ufffd\\u001c\ufffd\\u0003)1\ufffd!\ufffd$\ufffdK*\u0027\ufffd\\n\ufffd\ufffd\ufffd\ufffd[N \ufffd\\u0013e\u0026\\u0016\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\\\ufffd\ufffd|\ufffdp\ufffd$\\u000f\ufffdK\u003CF\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\\u000fwf\u0026d\u014e\/\ufffd \ufffd\ufffd\ufffd\ufffd-\ufffdN \ufffd\ufffdr\ufffd5\ufffdw\u71c7\ufffd\\n\\u0014\ufffd\ufffd\ufffd\ufffd#)\ufffd_r\ufffd3\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\\\ufffd\ufffd|\ufffdp\ufffd$\\u000f\ufffdK\u003CF\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\\u000fwf\u0026d\u014e\/\ufffd \ufffd\ufffd\ufffd\ufffd-\ufffdN \ufffd\ufffdr\ufffd5\ufffdw\u71c7\ufffd\\n\\u0014\ufffd\ufffd\ufffd\ufffd#)\ufffd_r\ufffd3\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 8W\ufffd\\u001c\ufffd\\u0003)1\ufffd!\ufffd$\ufffdK*\u0027\ufffd\\n\ufffd\ufffd\ufffd\ufffd[N \ufffd\\u0013e\u0026\\u0016\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\\\ufffd\ufffd|\ufffdp\ufffd$\\u000f\ufffdK\u003CF\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\\u000fwf\u0026d\u014e\/\ufffd \ufffd\ufffd\ufffd\ufffd-\ufffdN \ufffd\ufffdr\ufffd5\ufffdw\u71c7\ufffd\\n\\u0014\ufffd\ufffd\ufffd\ufffd#)\ufffd_r\ufffd3\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225cc1ed50280ff6c7d23e798b7b657c3d9e43680c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00229d78dfefabcee3ee16297d72e4cafc86\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_e060b20e9557_cc710080a5f9\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":8415777,"ip":"165.154.11.202","ts":"2026-06-06 22:49:28.000000","proto":"tcp","src_port":50428,"dst_port":2203,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 2203, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224df48d773cee32350e37a72285f3bf6a6c944c25\u0022, \u0022event_fingerprint\u0022: \u002214f6a68b14339e62a141c4565b00c4a1b653f831\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2203, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af22a567688b63752f60c9d70b2c3a91e4d2ed1f\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8415775,"ip":"165.154.11.202","ts":"2026-06-06 22:49:27.000000","proto":"tcp","src_port":50086,"dst_port":2203,"service":"http","classification":"port_2203_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 2203, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022feebfd3021e0a8c6c32e4c924b117199dd88b24c\u0022, \u0022event_fingerprint\u0022: \u0022ccbefb8a50fa38975b958d42d34b33b672ef1038\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2203_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2203, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2203_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d041cdb13bc469f2e23091fd771dc3b68ed66b76\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8415774,"ip":"165.154.11.202","ts":"2026-06-06 22:49:21.000000","proto":"tcp","src_port":48742,"dst_port":2203,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 2203, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224df48d773cee32350e37a72285f3bf6a6c944c25\u0022, \u0022event_fingerprint\u0022: \u002214f6a68b14339e62a141c4565b00c4a1b653f831\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2203, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022275a5263908ee8548877e72ca7e0d410a162b163\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8284187,"ip":"165.154.11.202","ts":"2026-06-04 22:24:01.000000","proto":"tcp","src_port":26110,"dst_port":244,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.805919727410952, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 244, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 23, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227871f0fc98d71562cdf3b01f55aa25d9f7f0a289\u0022, \u0022event_fingerprint\u0022: \u0022c8f3a88990ff58286b0a691dda1574c05acf37fd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022payload_hash\u0022: \u002219892ab386b87b264a59a4c0f7741032\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 244, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)\ufffd\ufffd\ufffd\ufffdE\\u0017T\\r\ufffd+\ufffd\ufffd\\u0005{\ufffdm\ufffdW|*\ufffd\\u0012\ufffd\\u000e\ufffd\ufffd*\ufffd\ufffdH\ufffd \ufffd\ufffd\/\ufffdk\ufffd\ufffd\ufffd\ufffd5\ufffd\u00a23^\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdC\ufffd\ufffd\\u000b\ufffdL\ufffd:\\u001a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)\ufffd\ufffd\ufffd\ufffdE\\u0017T\\r\ufffd+\ufffd\ufffd\\u0005{\ufffdm\ufffdW|*\ufffd\\u0012\ufffd\\u000e\ufffd\ufffd*\ufffd\ufffdH\ufffd \ufffd\ufffd\/\ufffdk\ufffd\ufffd\ufffd\ufffd5\ufffd\u00a23^\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdC\ufffd\ufffd\\u000b\ufffdL\ufffd:\\u001a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u001aR\u0605\u0026\ufffd\\u0010uw\ufffd\\u0011\ufffd\ufffdcT8\u0731\u0360\ufffd\ufffdi\\u0016M2\ufffd\ufffd\\u0001\\u0018\ufffd=\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)\ufffd\ufffd\ufffd\ufffdE\\u0017T\\r\ufffd+\ufffd\ufffd\\u0005{\ufffdm\ufffdW|*\ufffd\\u0012\ufffd\\u000e\ufffd\ufffd*\ufffd\ufffdH\ufffd \ufffd\ufffd\/\ufffdk\ufffd\ufffd\ufffd\ufffd5\ufffd\u00a23^\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdC\ufffd\ufffd\\u000b\ufffdL\ufffd:\\u001a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)\ufffd\ufffd\ufffd\ufffdE\\u0017T\\r\ufffd+\ufffd\ufffd\\u0005{\ufffdm\ufffdW|*\ufffd\\u0012\ufffd\\u000e\ufffd\ufffd*\ufffd\ufffdH\ufffd \ufffd\ufffd\/\ufffdk\ufffd\ufffd\ufffd\ufffd5\ufffd\u00a23^\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdC\ufffd\ufffd\\u000b\ufffdL\ufffd:\\u001a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u001aR\u0605\u0026\ufffd\\u0010uw\ufffd\\u0011\ufffd\ufffdcT8\u0731\u0360\ufffd\ufffdi\\u0016M2\ufffd\ufffd\\u0001\\u0018\ufffd=\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)\ufffd\ufffd\ufffd\ufffdE\\u0017T\\r\ufffd+\ufffd\ufffd\\u0005{\ufffdm\ufffdW|*\ufffd\\u0012\ufffd\\u000e\ufffd\ufffd*\ufffd\ufffdH\ufffd \ufffd\ufffd\/\ufffdk\ufffd\ufffd\ufffd\ufffd5\ufffd\u00a23^\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdC\ufffd\ufffd\\u000b\ufffdL\ufffd:\\u001a\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e880c9eb943fab377b4e79d22ab58892d97fd869\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":247},{"id":8284188,"ip":"165.154.11.202","ts":"2026-06-04 22:24:01.000000","proto":"tcp","src_port":26220,"dst_port":244,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 244, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 18, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228c7a558b8280d8854182e8723e68312e68b2e8e9\u0022, \u0022event_fingerprint\u0022: \u002207066b8b2c05d89e68f999674c9a172b8d9fcb59\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022588580493dbf1d2ca7cd7f2cd09ed672\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 244}, \u0022payload_preview\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.1.2\\nAS:2048\\nHL:19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d62212b5c15511bb8e980f19d8e2ce5647186f49\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8284186,"ip":"165.154.11.202","ts":"2026-06-04 22:24:00.000000","proto":"tcp","src_port":25890,"dst_port":244,"service":"http","classification":"web_scanner","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 244, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 17, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00225ff19f41859f6cea566183a46dcf1449fa477b16\u0022, \u0022event_fingerprint\u0022: \u002202136d6e5e95fd7a2b55d8e82ce88a5170ec612a\u0022, \u0022classification_reason\u0022: \u0022R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a6744e3c06a59e753fc74a2c54c4a161\u0022, \u0022payload_hash\u0022: \u002299559ea3a5e9ac33c4b35f9a75d06c9c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 244, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/7.29.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nUser-Agent: curl\/7.29.0\\r\\nHost: 62.3.50.33\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e2e189c6e5ac6bf3bff890c296448f3a7e0022b7\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8284182,"ip":"165.154.11.202","ts":"2026-06-04 22:23:54.000000","proto":"tcp","src_port":24150,"dst_port":244,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022dst_port\u0022: 244, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 18, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228c7a558b8280d8854182e8723e68312e68b2e8e9\u0022, \u0022event_fingerprint\u0022: \u002207066b8b2c05d89e68f999674c9a172b8d9fcb59\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NG\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 244}, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002237471e1ab82678ce3e96ebcd9a1751313044804d\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8157825,"ip":"165.154.11.202","ts":"2026-06-01 20:39:50.000000","proto":"tcp","src_port":18030,"dst_port":4222,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022a724fc477d953ff12d57f6803ed6b3741f2973cf\u0022, \u0022event_fingerprint\u0022: \u002268b3fee8d5e61bb366a07b97fde6b33d895a9318\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8157824,"ip":"165.154.11.202","ts":"2026-06-01 20:39:49.000000","proto":"tcp","src_port":17940,"dst_port":4222,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.775941215163107, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022d7281201c3fb0d7949bab8f5fe4dab23d5a92667\u0022, \u0022event_fingerprint\u0022: \u00221548e114473ea12030f0abca0fc5661c6b15faee\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8157823,"ip":"165.154.11.202","ts":"2026-06-01 20:39:48.000000","proto":"tcp","src_port":17664,"dst_port":4222,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.740140056613911, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022d7281201c3fb0d7949bab8f5fe4dab23d5a92667\u0022, \u0022event_fingerprint\u0022: \u00221548e114473ea12030f0abca0fc5661c6b15faee\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8157822,"ip":"165.154.11.202","ts":"2026-06-01 20:39:46.000000","proto":"tcp","src_port":17388,"dst_port":4222,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.743721960021268, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022d7281201c3fb0d7949bab8f5fe4dab23d5a92667\u0022, \u0022event_fingerprint\u0022: \u00221548e114473ea12030f0abca0fc5661c6b15faee\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8157821,"ip":"165.154.11.202","ts":"2026-06-01 20:39:45.000000","proto":"tcp","src_port":17176,"dst_port":4222,"service":"http","classification":"web_probe","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022risk_score\u0022: 87, \u0022campaign_key\u0022: \u0022060af66740e789043ffc11de9090556c7dbbe8d0\u0022, \u0022event_fingerprint\u0022: \u0022df55cdc0fdc9ed929bbfe6d539e0c422ea6a9b82\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8157817,"ip":"165.154.11.202","ts":"2026-06-01 20:39:40.000000","proto":"tcp","src_port":15892,"dst_port":4222,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022a724fc477d953ff12d57f6803ed6b3741f2973cf\u0022, \u0022event_fingerprint\u0022: \u002268b3fee8d5e61bb366a07b97fde6b33d895a9318\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8003229,"ip":"165.154.11.202","ts":"2026-05-30 17:22:16.000000","proto":"tcp","src_port":18772,"dst_port":6320,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.807610435550481, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u002240a8efbc42f03b0f0d24afa26bae1cd9b33aec06\u0022, \u0022event_fingerprint\u0022: \u0022d8897e39de66ae115d1e90d7d86955c9cfbe3a30\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8003230,"ip":"165.154.11.202","ts":"2026-05-30 17:22:16.000000","proto":"tcp","src_port":18890,"dst_port":6320,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022e5e729a6da9ce81b77d4298fc22e49210308cac3\u0022, \u0022event_fingerprint\u0022: \u0022bb7bd9adc5fd1734d320052ae2bf1c38e928bbe2\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":8003225,"ip":"165.154.11.202","ts":"2026-05-30 17:22:14.000000","proto":"tcp","src_port":18440,"dst_port":6320,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.747763896643571, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u002240a8efbc42f03b0f0d24afa26bae1cd9b33aec06\u0022, \u0022event_fingerprint\u0022: \u0022d8897e39de66ae115d1e90d7d86955c9cfbe3a30\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8003224,"ip":"165.154.11.202","ts":"2026-05-30 17:22:13.000000","proto":"tcp","src_port":18130,"dst_port":6320,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.785088767784531, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u002240a8efbc42f03b0f0d24afa26bae1cd9b33aec06\u0022, \u0022event_fingerprint\u0022: \u0022d8897e39de66ae115d1e90d7d86955c9cfbe3a30\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":8003223,"ip":"165.154.11.202","ts":"2026-05-30 17:22:12.000000","proto":"tcp","src_port":17902,"dst_port":6320,"service":"http","classification":"web_probe","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022risk_score\u0022: 87, \u0022campaign_key\u0022: \u0022968e7b1a74565583aa59c8da468eee7f52815cae\u0022, \u0022event_fingerprint\u0022: \u0022a0943f70962d5a6d923189ce94a58eaa6a42adcc\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":8003221,"ip":"165.154.11.202","ts":"2026-05-30 17:22:06.000000","proto":"tcp","src_port":16670,"dst_port":6320,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022e5e729a6da9ce81b77d4298fc22e49210308cac3\u0022, \u0022event_fingerprint\u0022: \u0022bb7bd9adc5fd1734d320052ae2bf1c38e928bbe2\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7869336,"ip":"165.154.11.202","ts":"2026-05-28 06:46:09.000000","proto":"tcp","src_port":51130,"dst_port":3472,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.8318975959204495, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022f975988fd3e202a5a65c5b3859e87d6c15f1cd14\u0022, \u0022event_fingerprint\u0022: \u00225a75dfac9a4d9172c3418d68355a521108490bb7\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":7869337,"ip":"165.154.11.202","ts":"2026-05-28 06:46:09.000000","proto":"tcp","src_port":51230,"dst_port":3472,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 25, \u0022payload_entropy\u0022: 3.7834651896016456, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022aad0cb088ec83a1341a967f7e388ac1969a703df\u0022, \u0022event_fingerprint\u0022: \u0022a0e5e98870ddfd61dec013d84ce8161906a71fdd\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":25},{"id":7869335,"ip":"165.154.11.202","ts":"2026-05-28 06:46:07.000000","proto":"tcp","src_port":50730,"dst_port":3472,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.78466629129654, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022f975988fd3e202a5a65c5b3859e87d6c15f1cd14\u0022, \u0022event_fingerprint\u0022: \u00225a75dfac9a4d9172c3418d68355a521108490bb7\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":7869334,"ip":"165.154.11.202","ts":"2026-05-28 06:46:06.000000","proto":"tcp","src_port":50380,"dst_port":3472,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00229460af62ae0af667130bf0d36514f084\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.776965859314014, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022f975988fd3e202a5a65c5b3859e87d6c15f1cd14\u0022, \u0022event_fingerprint\u0022: \u00225a75dfac9a4d9172c3418d68355a521108490bb7\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"9460af62ae0af667130bf0d36514f084","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":247},{"id":7869333,"ip":"165.154.11.202","ts":"2026-05-28 06:46:05.000000","proto":"tcp","src_port":50162,"dst_port":3472,"service":"http","classification":"web_probe","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220315d257123246273ce1f3edb87d478f00f3fce8\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 74, \u0022payload_entropy\u0022: 4.819344967782759, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022risk_score\u0022: 87, \u0022campaign_key\u0022: \u0022adea461be38733a3b6670036c78eb3caf78ef953\u0022, \u0022event_fingerprint\u0022: \u002213e19464c414fac980e1bdf5054012b7044d57f5\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33","http_user_agent":"curl\/7.29.0","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022botnet_http_ua_host\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":74},{"id":7869332,"ip":"165.154.11.202","ts":"2026-05-28 06:45:59.000000","proto":"tcp","src_port":48888,"dst_port":3472,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY HK LIMITED\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022NG\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022aad0cb088ec83a1341a967f7e388ac1969a703df\u0022, \u0022event_fingerprint\u0022: \u0022a0e5e98870ddfd61dec013d84ce8161906a71fdd\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0}],"total_events":104}