Détails IP 185.16.38.216

Synthèse exécutive

Profil de menace

Score de risque 42/100 Moyen

Première observation 18/06/2026 02:31 UTC

Dernière observation 18/06/2026 19:54 UTC

Événements (période) 797

MITRE ATT&CK principal TA0007 790 occurrences

Activité suspecte · risque 42/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_23_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 8

Comparaison ASN / FAI

ASN 201814 · 185.16.38.0/23 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 797 événements sur la période pour cette IP.

194.180.48.110 Sonde RDP 18/06/2026 19:55 UTC
95.214.53.196 proxy probe 18/06/2026 19:42 UTC
95.214.55.226 Sonde port 23/TCP 18/06/2026 02:11 UTC
194.180.48.163 Sonde port 13389/TCP 17/06/2026 05:09 UTC
194.180.49.143 Sonde port 3382/TCP 17/06/2026 04:06 UTC
94.26.68.55 Sonde RDP 16/06/2026 12:52 UTC
194.180.49.141 Sonde port 3829/TCP 16/06/2026 07:13 UTC
194.180.48.83 Sonde RDP 15/06/2026 23:23 UTC

IPs apparentées

Même FAI MEVSPACE sp. z o.o. — corrélation indicative.

194.180.48.110 Sonde RDP
95.214.53.196 proxy probe
95.214.55.226 Sonde port 23/TCP
194.180.48.163 Sonde port 13389/TCP
194.180.49.143 Sonde port 3382/TCP

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

797 événement(s) — page 1/16

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 19:54:48 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:53:40 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:52:28 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:51:22 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:50:17 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:49:28 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:48:22 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload ��service Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��service Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 18, "payload_entropy": 3.6835423624332306, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "203441f08f024855baee273e648b7b3e", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da64cdcb442ec28246e7cffaec4ce6b3c67886ab", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdservice", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018service", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdservice", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:47:07 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:46:12 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:45:04 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:44:07 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:42:59 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "375a927bb9bbd2eb33edd9b4264c0c0b9afc3f8d", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:41:21 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:40:02 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:39:17 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:37:03 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:35:56 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:34:50 UTC	TCP	23 · Telnet	telnet	tor exit probe tor exit probe · via Telnet:23 · (commande & contrôle)	Élevée	Faible · 35
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Payload ��administrator Pourquoi cette classification : Type « tor_exit_probe » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 46 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Tor Exit Hint Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) ��administrator Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 24, "payload_entropy": 3.9701755214643453, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "53e536d5483cadd7e25823c90bb9417fe2af1d91", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "INT-TOR-exit-hint" ], "kb_rule_ids": [ "INT-TOR-exit-hint" ], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 46, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa6a6a5c60660f5a8ed950b79962e322", "path_pattern_hash": "d2d40d620e587c49ef0af866b893b1d5" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 35 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f8c3e2164711574f4b298360a3c13a44f71f7f65", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadministrator", "attack_vector": "tor exit probe \u00b7 via Telnet:23 \u00b7 (commande & contr\u00f4le)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 46 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via Telnet", "confidence_pct": 46, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 35 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 35, "risk_label": "Faible", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "INT-TOR-exit-hint" ], "tags_summary_labels_fr": [ "Tor Exit Hint" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018administrator", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "tor exit probe \u00b7 via Telnet:23 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadministrator", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 46 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated", "tor_exit_probe" ] }
18/06/2026 19:33:43 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:30:23 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:29:25 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:28:18 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload ��Wproot Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Wproot Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 17, "payload_entropy": 3.5724694587701364, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f2fc442e9418e5ebd1f31af39d95b2d8", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "80d08a1b6940dbb25841423735e74dc41b357c75", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWproot", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018Wproot", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWproot", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:27:09 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 2, "behavior_priority": 72 }
18/06/2026 19:23:55 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:22:44 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:21:00 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:19:53 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:18:41 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:18:06 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:16:45 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload ��admin Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��admin Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 16, "payload_entropy": 3.577819531114783, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0e0393d078646f44ea6bc229fa43dc5b", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15ab9941c464c901b2f2dcb2f07503b17aa0ddae", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadmin", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadmin", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:15:36 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:14:36 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:13:09 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:12:00 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:10:12 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:09:07 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:07:56 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:06:39 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "375a927bb9bbd2eb33edd9b4264c0c0b9afc3f8d", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 19:05:19 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload ��support Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��support Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 18, "payload_entropy": 3.6835423624332306, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "74293cd56a73836af8249868161a4e56", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "037dc131ec040ad03fc2e0583a24d1b45e51d53a", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdsupport", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018support", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdsupport", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 19:03:55 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 18:58:10 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:57:00 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:56:29 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 18:55:25 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload ��admin Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��admin Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 16, "payload_entropy": 3.577819531114783, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0e0393d078646f44ea6bc229fa43dc5b", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "evidence": { "request_sample": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin\r\n", "payload_snippet": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15ab9941c464c901b2f2dcb2f07503b17aa0ddae", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadmin", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\ufffd\ufffd\u0003\ufffd\ufffd\u0018admin", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdadmin", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:53:55 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 18:53:02 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:51:56 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "375a927bb9bbd2eb33edd9b4264c0c0b9afc3f8d", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:50:45 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 18:49:11 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
18/06/2026 18:48:03 UTC	TCP	23 · Telnet	telnet	Sonde port 23/TCP port 23 tcp · via Telnet:23 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Preuve honeypot — Sonde port 23/TCP Connexion détectée sur le port 23 (TCP) du capteur simulé. Service Telnet Payload �� Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "well_known", "org": "MEVSPACE sp. z o.o.", "service": "telnet", "app_proto": "telnet", "asn": 201814, "country": "PL", "dst_port": 23, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "telnet_probe", "service_name": "telnet", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PL", "asn": 201814, "org": "MEVSPACE sp. z o.o.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3766efa08f269a90d882010a8881ef82", "path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "payload_preview": "\ufffd\ufffd\u0001", "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001", "payload_snippet": "\ufffd\ufffd\u0001", "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61fddfc1d87e61ff47337286e1a64b0a9f97c30f", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001", "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }

185.16.38.216

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence