{"ip":"18.117.74.144","exported_at":"2026-06-19T23:52:04+00:00","period_days":7,"metrics":{"events7d":19,"distinct_ports":11,"distinct_classifications":3,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":51,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":43,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":17,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":43,"novelty":15,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0369"],"tags_summary":["pat-0369"],"attack_vector":"postgres probe \u00b7 via TLS:8566 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000","tls_ja3":"60828da5b42313d165aae2938e651b72","port":8566,"service":"tls","service_label_fr":"TLS"},"protocol_summary_fr":"JA3 60828da5b42313d1 \u00b7 Payload \u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch\u2026 \u00b7 TLS:8566","evidence_snippet":"\ufffd\ufffd\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd","target_port_label":"8566 \u00b7 TLS","emulator_service":"tls","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"\ufffd\ufffd\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd"},"events":[{"id":9536541,"ip":"18.117.74.144","ts":"2026-06-18 02:09:32.000000","proto":"tcp","src_port":50143,"dst_port":8566,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022tls_sni\u0022: null, \u0022tls_alpn\u0022: [\u0022h2\u0022, \u0022http\/1.1\u0022], \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.728917645713793, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8566, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2932589695f9e3db218065b88dc9e5499671e7\u0022, \u0022event_fingerprint\u0022: \u002233f8ce5baeedd50a3c8448310b6fae3bf2d432e9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022payload_hash\u0022: \u00225e51c60765116250495fddbf77042a23\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8566, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\\u0001\ufffd\ufffdR\\u0016\ufffd\\u0003\\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\\u0006\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\\u000b\ufffdYV\\u000b\ufffdH\ufffdpY\ufffdch7\\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\\u0001\ufffd\ufffdR\\u0016\ufffd\\u0003\\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\\u0006\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\\u000b\ufffdYV\\u000b\ufffdH\ufffdpY\ufffdch7\\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\ufffd\\u0007\ufffds\ufffdP\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\\u0001\ufffd\ufffdR\\u0016\ufffd\\u0003\\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\\u0006\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\\u000b\ufffdYV\\u000b\ufffdH\ufffdpY\ufffdch7\\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d0d7350458ea89eac9f5f5e7d9673eb03d2c9e5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\\u0001\ufffd\ufffdR\\u0016\ufffd\\u0003\\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\\u0006\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\\u000b\ufffdYV\\u000b\ufffdH\ufffdpY\ufffdch7\\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022port\u0022: 8566, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8566 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228566 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 8566, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\\u0001\ufffd\ufffdR\\u0016\ufffd\\u0003\\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\\u0006\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\\u000b\ufffdYV\\u000b\ufffdH\ufffdpY\ufffdch7\\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022port\u0022: 8566, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8566 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ufffdw\ufffd\\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00228566 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228566\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"60828da5b42313d165aae2938e651b72","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-4865-4866-4867,11-65281-23-18-5-10-13-50-16-43-51,4588-4587-4589-29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":1501},{"id":9535950,"ip":"18.117.74.144","ts":"2026-06-18 01:57:09.000000","proto":"tcp","src_port":58291,"dst_port":9100,"service":"jetdirect","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.751075690685349, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261d2af97233e0814fa01106172b10403\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\\u0016\\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd\\u0003\\b\\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\\u001e\\u0002\ufffd@n\\u0006v\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\\u0016\\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd\\u0003\\b\\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\\u001e\\u0002\ufffd@n\\u0006v\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\\u0012\\bs\ufffd\\u001a\\u001d\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\\u0016\\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd\\u0003\\b\\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\\u001e\\u0002\ufffd@n\\u0006v\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ef7ba033f2affbc964862d0d6b559d37386e032\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\\u0016\\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd\\u0003\\b\\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\\u001e\\u0002\ufffd@n\\u0006v\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdYNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\ufffd@nv\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\\u0016\\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd\\u0003\\b\\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\\u001e\\u0002\ufffd@n\\u0006v\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdYNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\ufffd\u16c3\ufffdg\ufffd\ufffd\u003ECcG^ $O\ufffd\ufffd!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd\u003E\ufffd+\ufffd\ufffd@nv\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1501},{"id":9535951,"ip":"18.117.74.144","ts":"2026-06-18 01:57:09.000000","proto":"tcp","src_port":61542,"dst_port":9100,"service":"jetdirect","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.146437913552422, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002232174349c3b7d998f1df265fe592970b10f32a51\u0022, \u0022event_fingerprint\u0022: \u00224eb4d5d58ec22bdf2146f812070ea6ca88d25a86\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cb18c1f27bb01eaa11e35ffe55cd7d1\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ad7818904e59304837ead3a5d03623f5a9888e17\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9100\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9534888,"ip":"18.117.74.144","ts":"2026-06-18 01:32:04.000000","proto":"tcp","src_port":50529,"dst_port":5001,"service":"upnp-tcp","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.687659702890091, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022app_proto\u0022: \u0022upnp-tcp\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 5001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022436278379f11f507398419d513ec805702ed650d\u0022, \u0022event_fingerprint\u0022: \u0022a80d71c7dcef6b8541bd0810036e78213dbbe720\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d13a01385fcabeed7a5b79284fb88c63\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\\u0004\u003C\ufffd\ufffd\ufffdr~\\u0000\\u0003=\ufffd4\ufffd\\u0003\u029aC\ufffd;\ufffd\ufffd \\u001b\\u0010\ufffd\ufffd\ufffd\ufffdr\\t\\u0013$\ufffd\\u0001(\ufffd\u041a\ufffd~\ufffd\\u0015\ufffd\ufffd\ufffd\u0026\\u0010\\u001d\ufffdjJ\ufffd]3\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\\u0004\u003C\ufffd\ufffd\ufffdr~\\u0000\\u0003=\ufffd4\ufffd\\u0003\u029aC\ufffd;\ufffd\ufffd \\u001b\\u0010\ufffd\ufffd\ufffd\ufffdr\\t\\u0013$\ufffd\\u0001(\ufffd\u041a\ufffd~\ufffd\\u0015\ufffd\ufffd\ufffd\u0026\\u0010\\u001d\ufffdjJ\ufffd]3\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\\u0005t\ufffd\ufffd\u6443\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\\u0004\u003C\ufffd\ufffd\ufffdr~\\u0000\\u0003=\ufffd4\ufffd\\u0003\u029aC\ufffd;\ufffd\ufffd \\u001b\\u0010\ufffd\ufffd\ufffd\ufffdr\\t\\u0013$\ufffd\\u0001(\ufffd\u041a\ufffd~\ufffd\\u0015\ufffd\ufffd\ufffd\u0026\\u0010\\u001d\ufffdjJ\ufffd]3\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d3a15163614e31d58b6c2019a3b36ce8250fd7b9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\\u0004\u003C\ufffd\ufffd\ufffdr~\\u0000\\u0003=\ufffd4\ufffd\\u0003\u029aC\ufffd;\ufffd\ufffd \\u001b\\u0010\ufffd\ufffd\ufffd\ufffdr\\t\\u0013$\ufffd\\u0001(\ufffd\u041a\ufffd~\ufffd\\u0015\ufffd\ufffd\ufffd\u0026\\u0010\\u001d\ufffdjJ\ufffd]3\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\u003C\ufffd\ufffd\ufffdr~=\ufffd4\ufffd\u029aC\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffdr\\t$\ufffd(\ufffd\u041a\ufffd~\ufffd\ufffd\ufffd\ufffd\u0026\ufffdjJ\ufffd]3\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022, \u0022dst_port\u0022: 5001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\\u0004\u003C\ufffd\ufffd\ufffdr~\\u0000\\u0003=\ufffd4\ufffd\\u0003\u029aC\ufffd;\ufffd\ufffd \\u001b\\u0010\ufffd\ufffd\ufffd\ufffdr\\t\\u0013$\ufffd\\u0001(\ufffd\u041a\ufffd~\ufffd\\u0015\ufffd\ufffd\ufffd\u0026\\u0010\\u001d\ufffdjJ\ufffd]3\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd,\ufffd\ufffd\ufffd\u0715\ufffd\u003Ex\u003C\ufffd\ufffd\ufffdr~=\ufffd4\ufffd\u029aC\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffdr\\t$\ufffd(\ufffd\u041a\ufffd~\ufffd\ufffd\ufffd\ufffd\u0026\ufffdjJ\ufffd]3\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022upnp_tcp\u0022, \u0022service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1501},{"id":9534889,"ip":"18.117.74.144","ts":"2026-06-18 01:32:04.000000","proto":"tcp","src_port":55293,"dst_port":5001,"service":"upnp-tcp","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.1168154672926, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022app_proto\u0022: \u0022upnp-tcp\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 5001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022074b6b31ed3a8c5490682064a956f96ee16a85d5\u0022, \u0022event_fingerprint\u0022: \u0022c4fbc45603d24d7eb870e14692e418def7cee731\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ed8d95df63994ed2e2036f05f01f42a3\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b1690352740fe2edb421ee75be818d194d626cdb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 43\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022, \u0022dst_port\u0022: 5001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5001\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022upnp_tcp\u0022, \u0022service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9534357,"ip":"18.117.74.144","ts":"2026-06-18 01:20:44.000000","proto":"tcp","src_port":52263,"dst_port":4567,"service":"aws-ecs-agent","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a\u0022, \u0022emulator_response_len\u0022: 44, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.198639558415576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022app_proto\u0022: \u0022aws-ecs-agent\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 4567, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d71cb6aaf7995d19c1092f80f2672a5d98f49cd0\u0022, \u0022event_fingerprint\u0022: \u0022ed5db39ce4a1ce0fda50382d1438797185e5f337\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002228bd4bee4fbe766fe0a69f7eec99a817\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002252f5b9931f3eeac6785ff14ee7249269edf05f6a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 43\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022, \u0022dst_port\u0022: 4567, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022aws_ecs_agent\u0022, \u0022service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224567\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022game-unreal\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_cloud_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_cloud_scanner\u0022]","anomalies":"[]","severity":7,"bytes_in":93},{"id":9534356,"ip":"18.117.74.144","ts":"2026-06-18 01:20:43.000000","proto":"tcp","src_port":63782,"dst_port":4567,"service":"aws-ecs-agent","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a\u0022, \u0022emulator_response_len\u0022: 44, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.699803498119824, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022app_proto\u0022: \u0022aws-ecs-agent\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 4567, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022647c00d5d24c857ac83fe9bc2d3b005a0e4c7e82\u0022, \u0022event_fingerprint\u0022: \u0022ed5db39ce4a1ce0fda50382d1438797185e5f337\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ab0f9bb8ecede05c8d88f0759048633\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\u0018\\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \\u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\\u0017\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd\\u00043f\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\u0018\\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \\u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\\u0017\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd\\u00043f\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffdM;(H(\\u000b\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\u0018\\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \\u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\\u0017\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd\\u00043f\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002275cb2f6e5e0816d41aba77cbd5ab3171768bace6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\u0018\\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \\u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\\u0017\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd\\u00043f\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdh\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd3f\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022, \u0022dst_port\u0022: 4567, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\\u0018\\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \\u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\\u0017\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd\\u00043f\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdh\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\\\[b \ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\ufffd\ufffd\ufffd\\t;\ufffdc_\ufffd\ufffdT\ufffd3f\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022aws_ecs_agent\u0022, \u0022service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224567\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022game-unreal\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022net_cloud_scanner\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022net_cloud_scanner\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":1501},{"id":9534192,"ip":"18.117.74.144","ts":"2026-06-18 01:17:45.000000","proto":"tcp","src_port":52088,"dst_port":7777,"service":"game-unreal","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a\u0022, \u0022emulator_response_len\u0022: 42, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.730221061904469, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022game-unreal\u0022, \u0022app_proto\u0022: \u0022game-unreal\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 7777, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a80e1e975d546d6c38d71e2f91a00a66c01630bc\u0022, \u0022event_fingerprint\u0022: \u0022a35789f75452d6a73be983d5f266e3a77d710b7e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c83842cf0d03dcf8d82c65b1c1929e75\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u0011N6\\t\u0027h\ufffd\\u001c\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u0011N6\\t\u0027h\ufffd\\u001c\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\ufffd\\u0010\\u00178\ufffdo\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u0011N6\\t\u0027h\ufffd\\u001c\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fb535b3ebb5ccce3a211dd69b2dd76e639c47e2c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u0011N6\\t\u0027h\ufffd\\u001c\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdN6\\t\u0027h\ufffd\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227777 \u00b7 GAME UNREAL\u0022, \u0022emulator_service\u0022: \u0022game-unreal\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022, \u0022dst_port\u0022: 7777, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-game-unreal\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u0011N6\\t\u0027h\ufffd\\u001c\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdN6\\t\u0027h\ufffd\u0026\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ\u0027n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00227777 \u00b7 GAME UNREAL\u0022, \u0022emulator_service\u0022: \u0022game-unreal\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022game_unreal\u0022, \u0022service_banner\u0022: \u0022honeypot-game-unreal\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227777\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1501},{"id":9534193,"ip":"18.117.74.144","ts":"2026-06-18 01:17:45.000000","proto":"tcp","src_port":55255,"dst_port":7777,"service":"game-unreal","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a\u0022, \u0022emulator_response_len\u0022: 42, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.16374587564314, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022game-unreal\u0022, \u0022app_proto\u0022: \u0022game-unreal\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 7777, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002286e08fd16a2f2fc5dde0a89b7566a19d99b433f2\u0022, \u0022event_fingerprint\u0022: \u00229273f783c1dae2e568012c7a37ad4352fef5fca5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022861cb19f9d9b9b6c0f602ae4d33d1e04\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a910673b2225feb8f660fb9fb4d062c879b2a829\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227777 \u00b7 GAME UNREAL\u0022, \u0022emulator_service\u0022: \u0022game-unreal\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 46\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022, \u0022dst_port\u0022: 7777, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-game-unreal\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 7777, \u0022service\u0022: \u0022game-unreal\u0022, \u0022service_label_fr\u0022: \u0022GAME UNREAL\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7777\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00227777 \u00b7 GAME UNREAL\u0022, \u0022emulator_service\u0022: \u0022game-unreal\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022game_unreal\u0022, \u0022service_banner\u0022: \u0022honeypot-game-unreal\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227777\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9533891,"ip":"18.117.74.144","ts":"2026-06-18 01:11:04.000000","proto":"tcp","src_port":50580,"dst_port":8091,"service":"couchbase","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.723847946816689, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022couchbase\u0022, \u0022app_proto\u0022: \u0022couchbase\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8091, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002254b305efd9f6c87fdc9ee5b9ecb530cc38f1805f\u0022, \u0022event_fingerprint\u0022: \u00229e9deeb6547e6521ff916066811968748b0cf23e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ba1a9c9a132f0af8fea36e01783a3722\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003S[m\ufffd\u0354\\u0015\ufffd\ufffd\\b\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\\u000e\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\\u001a\ufffdC\ufffd\ufffdp\ufffd\u0026kv\\u0007\\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\\u001b\\f\ufffd\\u000bV\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003S[m\ufffd\u0354\\u0015\ufffd\ufffd\\b\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\\u000e\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\\u001a\ufffdC\ufffd\ufffdp\ufffd\u0026kv\\u0007\\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\\u001b\\f\ufffd\\u000bV\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffdd\ufffdt\ufffd\\u0015\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003S[m\ufffd\u0354\\u0015\ufffd\ufffd\\b\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\\u000e\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\\u001a\ufffdC\ufffd\ufffdp\ufffd\u0026kv\\u0007\\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\\u001b\\f\ufffd\\u000bV\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc250d3e3428274059f83c7297c28c1c6b29aaf8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003S[m\ufffd\u0354\\u0015\ufffd\ufffd\\b\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\\u000e\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\\u001a\ufffdC\ufffd\ufffdp\ufffd\u0026kv\\u0007\\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\\u001b\\f\ufffd\\u000bV\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdS[m\ufffd\u0354\ufffd\ufffd\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\ufffdC\ufffd\ufffdp\ufffd\u0026kvY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdV\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228091 \u00b7 COUCHBASE\u0022, \u0022emulator_service\u0022: \u0022couchbase\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022, \u0022dst_port\u0022: 8091, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-couchbase\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003S[m\ufffd\u0354\\u0015\ufffd\ufffd\\b\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\\u000e\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\\u001a\ufffdC\ufffd\ufffdp\ufffd\u0026kv\\u0007\\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\\u001b\\f\ufffd\\u000bV\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdS[m\ufffd\u0354\ufffd\ufffd\ufffd|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffdz\ufffd\\r \ufffdO\ufffd\ufffdC\ufffd\ufffdp\ufffd\u0026kvY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdV\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00228091 \u00b7 COUCHBASE\u0022, \u0022emulator_service\u0022: \u0022couchbase\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022couchbase\u0022, \u0022service_banner\u0022: \u0022honeypot-couchbase\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228091\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022couchbase\u0022, \u0022http\u0022, \u0022http-alt-8040\u0022, \u0022rtcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022couchbase_emulated\u0022, \u0022couchbase_payload\u0022, \u0022net_couchbase_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022couchbase_emulated\u0022, \u0022couchbase_payload\u0022, \u0022net_couchbase_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":1501},{"id":9533892,"ip":"18.117.74.144","ts":"2026-06-18 01:11:04.000000","proto":"tcp","src_port":51356,"dst_port":8091,"service":"couchbase","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.185251251987226, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022couchbase\u0022, \u0022app_proto\u0022: \u0022couchbase\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8091, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022810d1d1022f8bfbfccdfa39598b2ffefaaa839f3\u0022, \u0022event_fingerprint\u0022: \u00229e9deeb6547e6521ff916066811968748b0cf23e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c5cd5325da6af7b4b3283ad8e19e392b\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b951ee9f22d322f12b8b4870fe75921c3d617e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228091 \u00b7 COUCHBASE\u0022, \u0022emulator_service\u0022: \u0022couchbase\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022, \u0022dst_port\u0022: 8091, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-couchbase\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 8091, \u0022service\u0022: \u0022couchbase\u0022, \u0022service_label_fr\u0022: \u0022COUCHBASE\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8091\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00228091 \u00b7 COUCHBASE\u0022, \u0022emulator_service\u0022: \u0022couchbase\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022couchbase\u0022, \u0022service_banner\u0022: \u0022honeypot-couchbase\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228091\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022couchbase\u0022, \u0022http\u0022, \u0022http-alt-8040\u0022, \u0022rtcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022couchbase_emulated\u0022, \u0022couchbase_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_couchbase_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022couchbase_emulated\u0022, \u0022couchbase_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_couchbase_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":93},{"id":9533826,"ip":"18.117.74.144","ts":"2026-06-18 01:09:42.000000","proto":"tcp","src_port":49224,"dst_port":5005,"service":"rtcp","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207274637020726561647920706f72743d353030350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.111544230779986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022rtcp\u0022, \u0022app_proto\u0022: \u0022rtcp\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 5005, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002221235df30f83d4fb1095063fa6f63a07d2c67820\u0022, \u0022event_fingerprint\u0022: \u00222eff11117aba3b41665d6c6eb4a00aa259989d28\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0419\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0419\u0022], \u0022matched_patterns\u0022: [\u0022pat-0419\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP HEAD method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0419\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221a4e06c4ba417c3ea690ba5ba949e0d9\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002287621f11d69e2f4c1d183df45b685894d8a834f9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225005 \u00b7 RTCP\u0022, \u0022emulator_service\u0022: \u0022rtcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022, \u0022dst_port\u0022: 5005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0419\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0419\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtcp\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5005\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00225005 \u00b7 RTCP\u0022, \u0022emulator_service\u0022: \u0022rtcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtcp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8040\u0022, \u0022rtcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9533825,"ip":"18.117.74.144","ts":"2026-06-18 01:09:41.000000","proto":"tcp","src_port":58621,"dst_port":5005,"service":"rtcp","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207274637020726561647920706f72743d353030350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.733880503378278, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022rtcp\u0022, \u0022app_proto\u0022: \u0022rtcp\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 5005, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022113d59398490dcab045104e0dc3f331b7dd31205\u0022, \u0022event_fingerprint\u0022: \u0022606c6359759c484b0a1a45484ef7da5fe50e5232\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b26c5471ddb79ba311d6097c2a428f1\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003u\ufffd?\ufffd\/\\u001a\ufffd\ufffd\u0027A\u0027N\/}\\u0004\\u0007\ufffd\ufffd}\ufffd)\\u0011\\u0005\ufffdHLdL\ufffd;d\\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa\\u00139\ufffd\ufffd7\\u001b\ufffd_\ufffdM;\\r\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003u\ufffd?\ufffd\/\\u001a\ufffd\ufffd\u0027A\u0027N\/}\\u0004\\u0007\ufffd\ufffd}\ufffd)\\u0011\\u0005\ufffdHLdL\ufffd;d\\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa\\u00139\ufffd\ufffd7\\u001b\ufffd_\ufffdM;\\r\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffdfvHD\\u0017\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003u\ufffd?\ufffd\/\\u001a\ufffd\ufffd\u0027A\u0027N\/}\\u0004\\u0007\ufffd\ufffd}\ufffd)\\u0011\\u0005\ufffdHLdL\ufffd;d\\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa\\u00139\ufffd\ufffd7\\u001b\ufffd_\ufffdM;\\r\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229bab1ce74326f2125d76535c14fe1db07a735540\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003u\ufffd?\ufffd\/\\u001a\ufffd\ufffd\u0027A\u0027N\/}\\u0004\\u0007\ufffd\ufffd}\ufffd)\\u0011\\u0005\ufffdHLdL\ufffd;d\\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa\\u00139\ufffd\ufffd7\\u001b\ufffd_\ufffdM;\\r\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd?\ufffd\/\ufffd\ufffd\u0027A\u0027N\/}\ufffd\ufffd}\ufffd)\ufffdHLdL\ufffd;d \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa9\ufffd\ufffd7\ufffd_\ufffdM;\\r\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225005 \u00b7 RTCP\u0022, \u0022emulator_service\u0022: \u0022rtcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022, \u0022dst_port\u0022: 5005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtcp\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003u\ufffd?\ufffd\/\\u001a\ufffd\ufffd\u0027A\u0027N\/}\\u0004\\u0007\ufffd\ufffd}\ufffd)\\u0011\\u0005\ufffdHLdL\ufffd;d\\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa\\u00139\ufffd\ufffd7\\u001b\ufffd_\ufffdM;\\r\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5005, \u0022service\u0022: \u0022rtcp\u0022, \u0022service_label_fr\u0022: \u0022RTCP\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd?\ufffd\/\ufffd\ufffd\u0027A\u0027N\/}\ufffd\ufffd}\ufffd)\ufffdHLdL\ufffd;d \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd|\ufffd\ufffdL8\u52aa9\ufffd\ufffd7\ufffd_\ufffdM;\\r\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00225005 \u00b7 RTCP\u0022, \u0022emulator_service\u0022: \u0022rtcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtcp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8040\u0022, \u0022rtcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1501},{"id":9533725,"ip":"18.117.74.144","ts":"2026-06-18 01:06:54.000000","proto":"tcp","src_port":55674,"dst_port":8040,"service":"http-alt-8040","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.73511735158087, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022http-alt-8040\u0022, \u0022app_proto\u0022: \u0022http-alt-8040\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8040, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a7294fb57e5d1bd7f515642bfb7d775028264167\u0022, \u0022event_fingerprint\u0022: \u0022ce3872fa31b8251521ce92e15f09a1ea7ad32402\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http-alt-8040\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224a15c75b394a74264ee974312f8ead8c\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8040, \u0022service\u0022: \u0022http-alt-8040\u0022, \u0022service_name\u0022: \u0022http-alt-8040\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u00034\ufffd(\ufffd\ufffd\\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%\\f_5Yp\ufffd\ufffd\\f+\\\u0022\ufffd\\u0000\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u00034\ufffd(\ufffd\ufffd\\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%\\f_5Yp\ufffd\ufffd\\f+\\\u0022\ufffd\\u0000\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\ufffd\ufffd\\\u0022\u0026\\u001dK\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u00034\ufffd(\ufffd\ufffd\\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%\\f_5Yp\ufffd\ufffd\\f+\\\u0022\ufffd\\u0000\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c02544db2db86115262a22ab493da8f48fd39720\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u00034\ufffd(\ufffd\ufffd\\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%\\f_5Yp\ufffd\ufffd\\f+\\\u0022\ufffd\\u0000\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8040, \u0022service\u0022: \u0022http-alt-8040\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8040\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd4\ufffd(\ufffd\ufffd\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%_5Yp\ufffd\ufffd+\\\u0022\ufffd\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228040 \u00b7 HTTP ALT 8040\u0022, \u0022emulator_service\u0022: \u0022http-alt-8040\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8040\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8040\u0022, \u0022dst_port\u0022: 8040, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8040\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u00034\ufffd(\ufffd\ufffd\\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%\\f_5Yp\ufffd\ufffd\\f+\\\u0022\ufffd\\u0000\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8040, \u0022service\u0022: \u0022http-alt-8040\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8040\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd4\ufffd(\ufffd\ufffd\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\\r1\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK|%_5Yp\ufffd\ufffd+\\\u0022\ufffd\ufffd\ufffd|\ufffdG\ufffd +M\u238by0\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00228040 \u00b7 HTTP ALT 8040\u0022, \u0022emulator_service\u0022: \u0022http-alt-8040\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8040\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8040\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228040\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":1501},{"id":9533726,"ip":"18.117.74.144","ts":"2026-06-18 01:06:54.000000","proto":"tcp","src_port":56910,"dst_port":8040,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"HEAD","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022ec529202294adb98b7799d83e8a9f547c3148bfe\u0022, \u0022http_host_hash\u0022: \u0022536ef780c53aff4571829d7569317b48bd3c681f\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.176060359812244, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8040, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220230c466a95c1b77f2132c60e1f0bd624096aa92\u0022, \u0022event_fingerprint\u0022: \u00226b48df12f748b1fa3e8f3ce127735f04dd41e370\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.7, \u0022classification_confidence\u0022: 0.7, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e319be119abe500f1e7bd2d554725116\u0022, \u0022payload_hash\u0022: \u00220a15d71372e98167bc4aabe04887d9d0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8040, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022HEAD\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022HEAD\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c8035933b72bc59de3632b7f7c97254bb1748957\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 8040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8040 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 70, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8040, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 8040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8040 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00228040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228040\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8040\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8040","http_user_agent":"Mozilla\/5.0 (compatible; Checker\/2.0)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9533527,"ip":"18.117.74.144","ts":"2026-06-18 01:01:13.000000","proto":"tcp","src_port":56371,"dst_port":7443,"service":"oracle-em","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.699430398259925, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022oracle-em\u0022, \u0022app_proto\u0022: \u0022oracle-em\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 7443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224f4acff4c9041c67c73fa498ee94611b63a0dc4b\u0022, \u0022event_fingerprint\u0022: \u00223f1d4b52645bcd9531502ab86dc099f88926bef6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233a4cde669b6bf76c1813f1cffc80849\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\\u0015+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\\u001d\/\ufffd\ufffdm\\rt\ufffds\\u000e\ufffd\\u0004\ufffd\ufffd\u0244-\ufffd,\\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\\u0015+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\\u001d\/\ufffd\ufffdm\\rt\ufffds\\u000e\ufffd\\u0004\ufffd\ufffd\u0244-\ufffd,\\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\ufffd\u0026m\ufffd#\ufffd!\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\\u0015+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\\u001d\/\ufffd\ufffdm\\rt\ufffds\\u000e\ufffd\\u0004\ufffd\ufffd\u0244-\ufffd,\\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c5f8c0aa680054da4261bbfd33fd41e8712c993\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\\u0015+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\\u001d\/\ufffd\ufffdm\\rt\ufffds\\u000e\ufffd\\u0004\ufffd\ufffd\u0244-\ufffd,\\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\/\ufffd\ufffdm\\rt\ufffds\ufffd\ufffd\ufffd\u0244-\ufffd,\u07fd\ufffd}\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 ORACLE EM\u0022, \u0022emulator_service\u0022: \u0022oracle-em\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022, \u0022dst_port\u0022: 7443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-oracle-em\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\\u0015+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\\u001d\/\ufffd\ufffdm\\rt\ufffds\\u000e\ufffd\\u0004\ufffd\ufffd\u0244-\ufffd,\\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd+\ufffdU\\\u0022o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\/\ufffd\ufffdm\\rt\ufffds\ufffd\ufffd\ufffd\u0244-\ufffd,\u07fd\ufffd}\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 ORACLE EM\u0022, \u0022emulator_service\u0022: \u0022oracle-em\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022oracle_em\u0022, \u0022service_banner\u0022: \u0022honeypot-oracle-em\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_oracle_tns_probe\u0022, \u0022oracle_em_emulated\u0022, \u0022oracle_em_payload\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_oracle_tns_probe\u0022, \u0022oracle_em_emulated\u0022, \u0022oracle_em_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":1501},{"id":9533528,"ip":"18.117.74.144","ts":"2026-06-18 01:01:13.000000","proto":"tcp","src_port":57813,"dst_port":7443,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"HEAD","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022ec529202294adb98b7799d83e8a9f547c3148bfe\u0022, \u0022http_host_hash\u0022: \u00223207cc58a88e4dd65c61f1b1f14e699cc0722bbe\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 5.1933683219029625, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 7443, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002240005da017bef00b97976ebf3705f97aaa28ab5f\u0022, \u0022event_fingerprint\u0022: \u0022461b83f7014fe619299b1b3ff6a2153181db3ce3\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.7, \u0022classification_confidence\u0022: 0.7, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e319be119abe500f1e7bd2d554725116\u0022, \u0022payload_hash\u0022: \u0022f9e6f14aed619a38d63ca9d792c7b601\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022HEAD\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022HEAD\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221cc6c958221858ffd0db9dec62d0c860dfefb2c9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:7443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 70, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022HEAD\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022HEAD \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:7443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022HEAD \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022oracle-em\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7443","http_user_agent":"Mozilla\/5.0 (compatible; Checker\/2.0)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":93},{"id":9532341,"ip":"18.117.74.144","ts":"2026-06-18 00:34:27.000000","proto":"tcp","src_port":61573,"dst_port":8565,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022tls_sni\u0022: null, \u0022tls_alpn\u0022: [\u0022h2\u0022, \u0022http\/1.1\u0022], \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.738352704481345, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022416df83980eb1ab90924a31939a084c5d38dc39d\u0022, \u0022event_fingerprint\u0022: \u0022a226d5472e822adfaa5c91623ff375cf37f3614a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022payload_hash\u0022: \u002202fe93415be3e795510b6c8cf008defb\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8565, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\u003C\\u0012\ufffdS\\\\\ufffd\\b\ufffd#u\ufffd\ufffd\\u0004\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\\u0014\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\u003C\\u0012\ufffdS\\\\\ufffd\\b\ufffd#u\ufffd\ufffd\\u0004\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\\u0014\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd\u00d6\u003E\ufffdUa\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\u003C\\u0012\ufffdS\\\\\ufffd\\b\ufffd#u\ufffd\ufffd\\u0004\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\\u0014\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ffd0d98796854c919302b7f8fc3c3c4334ceb737\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\u003C\\u0012\ufffdS\\\\\ufffd\\b\ufffd#u\ufffd\ufffd\\u0004\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\\u0014\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022port\u0022: 8565, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\u003C\ufffdS\\\\\ufffd\ufffd#u\ufffd\ufffd\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228565 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 8565, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\u003C\\u0012\ufffdS\\\\\ufffd\\b\ufffd#u\ufffd\ufffd\\u0004\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\\u0014\ufffd\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002260828da5b42313d165aae2938e651b72\u0022, \u0022port\u0022: 8565, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\u003C\ufffdS\\\\\ufffd\ufffd#u\ufffd\ufffd\ufffdc\ufffd\ufffd\u003C\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\\\ufffd?\ufffd\ufffd\\t|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u00228565 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"60828da5b42313d165aae2938e651b72","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-4865-4866-4867,11-65281-23-18-5-10-13-50-16-43-51,4588-4587-4589-29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":1501},{"id":9530947,"ip":"18.117.74.144","ts":"2026-06-18 00:03:26.000000","proto":"tcp","src_port":57272,"dst_port":53,"service":"dns","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002216038003d8010000d40303d8d7f007d4f822e9cfdd696d6460c1db1ec8a45e795937c44e39f1386bdfcf1820171cec06769e982f599462c287d854235ee7e86e52020c7f96bbf2fc895a5c04001ac02bc02fc02cc030cca9cca8c009c013c00ac01413011302130301000571000b00020100ff01000100001700000012000000\u0022, \u0022emulator_response_len\u0022: 1501, \u0022bytes_in\u0022: 1501, \u0022payload_entropy\u0022: 7.732440603697651, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022dns\u0022, \u0022app_proto\u0022: \u0022dns\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 53, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002299ca9d090780dd2d2524bc6eeb1fe5cba81a3a64\u0022, \u0022event_fingerprint\u0022: \u0022a8ecfe27665a94483df3963a81bc8aaa2d3740ad\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022dns\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f3836c37f472eaac6f41a295f897c208\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_name\u0022: \u0022dns\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\u0007\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\\u0018 \\u0017\\u001c\ufffd\\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\\u0002\\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\\u0004\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\u0007\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\\u0018 \\u0017\\u001c\ufffd\\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\\u0002\\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\\u0004\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\u0010\\u0000\\u000e\\u0011\ufffd\\u0011\ufffd\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u0016\\u0000\\u0014\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u00002\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffd(w\ufffd:|\\u0002\\u0013\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\u0007\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\\u0018 \\u0017\\u001c\ufffd\\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\\u0002\\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\\u0004\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f3cdcb45fd214cc5b0d22da6688e7cdd1a83a20\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\u0007\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\\u0018 \\u0017\\u001c\ufffd\\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\\u0002\\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\\u0004\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd \ufffdv\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002253 \u00b7 DNS\u0022, \u0022emulator_service\u0022: \u0022dns\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022, \u0022dst_port\u0022: 53, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-dns\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\u0007\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\\u0018 \\u0017\\u001c\ufffd\\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\\u0002\\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\\u0004\\u0000\\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005q\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd \ufffdv\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\\\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffdq\ufffd\u0022, \u0022target_port_label\u0022: \u002253 \u00b7 DNS\u0022, \u0022emulator_service\u0022: \u0022dns\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022dns\u0022, \u0022service_banner\u0022: \u0022honeypot-dns\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002253\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022dns_emulated\u0022, \u0022dns_payload\u0022, \u0022net_dns_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022dns_emulated\u0022, \u0022dns_payload\u0022, \u0022net_dns_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1501}],"total_events":19}