{"ip":"185.196.110.68","exported_at":"2026-07-19T08:47:34+00:00","period_days":7,"metrics":{"events7d":17,"distinct_ports":1,"distinct_classifications":4,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":44,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.5,"risk_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":9,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":50,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0554"],"tags_summary":["pat-0554"],"attack_vector":"mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0006\ufffd\u0001\u0000\u0006\ufffd\u0003\u00034\u00b2\n\ufffd\ufffd\ufffd[\u0001\u04f0\ufffd\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\u0010\ufffd[\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\u0006\u0011\u03f2\ufffdK\n\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0006S\ufffd\ufffd\u0000\u0000\ufffd\r\u0000\ufffd\u0000\u0000\u0001\u0000\u0001\ufffd","port":8065,"service":"mattermost","service_label_fr":"Mattermost (chat d\u0027\u00e9quipe)"},"protocol_summary_fr":"Payload \u0016\u0003\u0001\u0006\ufffd\u0001\u0000\u0006\ufffd\u0003\u00034\u00b2\n\ufffd\ufffd\ufffd[\u0001\u04f0\ufffd\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\u0010\ufffd[\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\u0006\u0011\u2026 \u00b7 Mattermost (chat d\u0027\u00e9quipe):8065","evidence_snippet":"\ufffd\ufffd4\u00b2\n\ufffd\ufffd\ufffd[\u04f0\ufffd\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\ufffd[u:\ufffd:z#\ufffd!\ufffd\ufffd\u03f2\ufffdK\n\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5S\ufffd\ufffd\ufffd\r\ufffd\ufffd","target_port_label":"8065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)","emulator_service":"mattermost","confidence_reason":"Confiance 50 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","classification_reason_label_fr":"Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 50 % \u2014 Score WAF 8","payload_preview":"\ufffd\ufffd4\u00b2\n\ufffd\ufffd\ufffd[\u04f0\ufffd\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\ufffd[u:\ufffd:z#\ufffd!\ufffd\ufffd\u03f2\ufffdK\n\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5S\ufffd\ufffd\ufffd\r\ufffd\ufffd"},"events":[{"id":12845061,"ip":"185.196.110.68","ts":"2026-07-19 07:15:20.000000","proto":"tcp","src_port":29782,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1733, \u0022payload_entropy\u0022: 7.7582841511558644, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220936703290a05d3aa82d0057366c6f85\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u00034\u00b2\\n\ufffd\ufffd\ufffd[\\u0001\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\\u0010\ufffd[\\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\\u0006\\u0011\u03f2\ufffdK\\n\ufffd\\u0000 JJ\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006S\ufffd\ufffd\\u0000\\u0000\ufffd\\r\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0001\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u00034\u00b2\\n\ufffd\ufffd\ufffd[\\u0001\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\\u0010\ufffd[\\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\\u0006\\u0011\u03f2\ufffdK\\n\ufffd\\u0000 JJ\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006S\ufffd\ufffd\\u0000\\u0000\ufffd\\r\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0001\ufffd\\u0000 ]\\u0011\\f\ufffde\ufffd\\u00159\ufffd\ufffd\ufffd\\u0000z\\u0007\\f\\u0001\\u001e\ufffd\\u001f\\u0002t\\u0006\ufffd\ufffd\u0027s\ufffd\ufffdk!\\u0000\ufffd!\ufffd\ufffdh\ufffd,\\u000f\ufffd\ufffd\ufffdQ\ufffd\uf9fcxZ$Z\\u0011\ufffd{\ufffd\\tBK\ufffd\ufffdE\ufffd\ufffd\ufffdf\ufffdh\ufffdP\ufffd(\ufffdj\ufffd=\\u0016\\u0018\ufffd\\rU\\u0011\ufffd\\u0006\\u0004R\ufffd\\u001e\ufffdg\u0409\ufffdo\ufffd[\ufffd.BE\ufffd\ufffdV\ufffd\ufffd\u003C\\u000fe\ufffd6\\u001b\\\\\\u0000\ufffdT\\u0000\ufffdw\ufffd\u0026\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u00034\u00b2\\n\ufffd\ufffd\ufffd[\\u0001\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\\u0010\ufffd[\\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\\u0006\\u0011\u03f2\ufffdK\\n\ufffd\\u0000 JJ\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006S\ufffd\ufffd\\u0000\\u0000\ufffd\\r\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0001\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022954695d4798a178722e9f2687835d95e49733ff8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u00034\u00b2\\n\ufffd\ufffd\ufffd[\\u0001\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\\u0010\ufffd[\\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\\u0006\\u0011\u03f2\ufffdK\\n\ufffd\\u0000 JJ\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006S\ufffd\ufffd\\u0000\\u0000\ufffd\\r\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0001\ufffd\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd4\u00b2\\n\ufffd\ufffd\ufffd[\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\ufffd[u:\ufffd:z#\ufffd!\ufffd\ufffd\u03f2\ufffdK\\n\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5S\ufffd\ufffd\ufffd\\r\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u00034\u00b2\\n\ufffd\ufffd\ufffd[\\u0001\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd\\u0003=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\\u0010\ufffd[\\u0018u:\ufffd:z#\ufffd!\ufffd\ufffd\\u0006\\u0011\u03f2\ufffdK\\n\ufffd\\u0000 JJ\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006S\ufffd\ufffd\\u0000\\u0000\ufffd\\r\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0001\ufffd\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd4\u00b2\\n\ufffd\ufffd\ufffd[\u04f0\ufffd\\t\ufffd\ufffd1\ufffd\u0687@\u014d\ufffd\ufffdw\ufffd=\ufffd:\ufffd \ufffdb\ufffdY\ufffd\u05a0`\ufffd\ufffd[u:\ufffd:z#\ufffd!\ufffd\ufffd\u03f2\ufffdK\\n\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5S\ufffd\ufffd\ufffd\\r\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1733},{"id":12845054,"ip":"185.196.110.68","ts":"2026-07-19 07:15:17.000000","proto":"tcp","src_port":29774,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.9438854776315955, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022121c842cf018d062d6603ae771d7d496\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003aN\\u0016\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffd\\bx\ufffd)ku\ufffd=$\\u0013 \ufffdz\ufffd\ufffd\ufffd\ufffd\\b)Q\ufffd\\u001c(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd\\u00152\u0740\ufffd\ufffd\\u0000*jj\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003aN\\u0016\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffd\\bx\ufffd)ku\ufffd=$\\u0013 \ufffdz\ufffd\ufffd\ufffd\ufffd\\b)Q\ufffd\\u001c(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd\\u00152\u0740\ufffd\ufffd\\u0000*jj\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\f\\u0000\\nzz\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\r\\u0000\\u0018\\u0000\\u0016\\u0004\\u0003\\b\\u0004\\u0004\\u0001\\u0005\\u0003\\u0002\\u0003\\b\\u0005\\b\\u0005\\u0005\\u0001\\b\\u0006\\u0006\\u0001\\u0002\\u0001\\u0000\\u0012\\u0000\\u0000\\u00003\\u0000+\\u0000)zz\\u0000\\u0001\\u0000\\u0000\\u001d\\u0000 _\ufffd\\t\ufffd\ufffd\ufffdt\\bZ]*\ufffd\\\u0022E\\u001e\ufffd-\ufffdn:l\ufffd\\u0010\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003aN\\u0016\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffd\\bx\ufffd)ku\ufffd=$\\u0013 \ufffdz\ufffd\ufffd\ufffd\ufffd\\b)Q\ufffd\\u001c(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd\\u00152\u0740\ufffd\ufffd\\u0000*jj\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d10f50cc693ed50938a8efabda9f81ddf5f3a7a9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003aN\\u0016\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffd\\bx\ufffd)ku\ufffd=$\\u0013 \ufffdz\ufffd\ufffd\ufffd\ufffd\\b)Q\ufffd\\u001c(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd\\u00152\u0740\ufffd\ufffd\\u0000*jj\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdaN\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffdx\ufffd)ku\ufffd=$ \ufffdz\ufffd\ufffd\ufffd\ufffd)Q\ufffd(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd2\u0740\ufffd\ufffd*jj\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\ufffd\ufffd\ufffd5\/\ufffd\ufffd\\n\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003aN\\u0016\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffd\\bx\ufffd)ku\ufffd=$\\u0013 \ufffdz\ufffd\ufffd\ufffd\ufffd\\b)Q\ufffd\\u001c(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd\\u00152\u0740\ufffd\ufffd\\u0000*jj\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdaN\ufffdd\ufffd\ufffd;\ufffd\ufffd\u0161`\u062b;\ufffdy\ufffdx\ufffd)ku\ufffd=$ \ufffdz\ufffd\ufffd\ufffd\ufffd)Q\ufffd(\ufffd\ufffd!\ufffd\ufffdd$\ufffd:y\ufffd\ufffd\ufffd2\u0740\ufffd\ufffd*jj\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\ufffd\ufffd\ufffd5\/\ufffd\ufffd\\n\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":12845050,"ip":"185.196.110.68","ts":"2026-07-19 07:15:15.000000","proto":"tcp","src_port":29772,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 571, \u0022payload_entropy\u0022: 5.577793389100288, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002223b56eaff7498f14ed367d991deca8cf\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f34c977cccac79faf473a45b92e528364440c42\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":571},{"id":12845048,"ip":"185.196.110.68","ts":"2026-07-19 07:15:12.000000","proto":"tcp","src_port":3786,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 600, \u0022payload_entropy\u0022: 5.558866571524557, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223987f77a5f8dafe31b60fc272e16110e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a9ee4c0f41edb943b389ca7c6f770b9eca3014cf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":600},{"id":12814718,"ip":"185.196.110.68","ts":"2026-07-18 23:01:08.000000","proto":"tcp","src_port":9496,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1765, \u0022payload_entropy\u0022: 7.774218585036384, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fde7492d6d9994bdb27d8ec28c221c8bc9fa41d2\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df30c75099012871eccb908046e05e95\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\\u0003\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd\\u00002 \\t\u0589\ufffd\ufffd\ufffd\\u001d\ufffd(s\\u0007.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL\\u0000 zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\\u001a\\u001a\\u0000\\u0000\\u0000+\\u0000\\u0007\\u0006\ufffd\ufffd\\u0003\\u0004\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\\u0003\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd\\u00002 \\t\u0589\ufffd\ufffd\ufffd\\u001d\ufffd(s\\u0007.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL\\u0000 zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\\u001a\\u001a\\u0000\\u0000\\u0000+\\u0000\\u0007\\u0006\ufffd\ufffd\\u0003\\u0004\\u0003\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000D\ufffd\\u0000\\u0005\\u0000\\u0003\\u0002h2\\u0000-\\u0000\\u0002\\u0001\\u0001\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\\u0004\\u0001\\u0005\\u0003\\b\\u0005\\u0005\\u0001\\b\\u0006\\u0006\\u0001\\u0000\\u0017\\u0000\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ud28a\\u0000\\u0001\\u0000\\u0011\ufffd\\u0004\ufffd\ufffd;W\ufffd)|\ufffdu8.|\u029a\ufffd\/\ufffd\\u0002y\ufffd2\ufffdKh\\\u0022\ufffd\u0027\ufffd\ufffd\ufffd?\ufffdY\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\\u0003\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd\\u00002 \\t\u0589\ufffd\ufffd\ufffd\\u001d\ufffd(s\\u0007.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL\\u0000 zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\\u001a\\u001a\\u0000\\u0000\\u0000+\\u0000\\u0007\\u0006\ufffd\ufffd\\u0003\\u0004\\u0003\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e80df8edb7147ea490771871b37f5c7a0c7d38ce\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\\u0003\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd\\u00002 \\t\u0589\ufffd\ufffd\ufffd\\u001d\ufffd(s\\u0007.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL\\u0000 zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\\u001a\\u001a\\u0000\\u0000\\u0000+\\u0000\\u0007\\u0006\ufffd\ufffd\\u0003\\u0004\\u0003\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd2 \\t\u0589\ufffd\ufffd\ufffd\ufffd(s.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL zz\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5s+\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\\u0003\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd\\u00002 \\t\u0589\ufffd\ufffd\ufffd\\u001d\ufffd(s\\u0007.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL\\u0000 zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\\u001a\\u001a\\u0000\\u0000\\u0000+\\u0000\\u0007\\u0006\ufffd\ufffd\\u0003\\u0004\\u0003\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd^aW\ufffd\ufffdC\ufffd\\n\ufffdt=g\ufffd\ufffd\ufffd\ufffd-0\ufffd\ufffd\ufffdLI=\ufffd\ufffdz\ufffd2 \\t\u0589\ufffd\ufffd\ufffd\ufffd(s.d\ufffd\ufffd\ufffd\ufffd\ufffd@$C\ufffd\ufffd\ufffd\u02fbepHRTL zz\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5s+\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022ssh_kex_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022ssh_kex_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1765},{"id":12814700,"ip":"185.196.110.68","ts":"2026-07-18 23:00:46.000000","proto":"tcp","src_port":3144,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 575, \u0022payload_entropy\u0022: 5.5750064570157045, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242d326e7a128f3e2655af6e0a1600b0c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/w\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/w\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c99b1e677b72ad704f0d46da6bb1b6fde358208c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":575},{"id":12814699,"ip":"185.196.110.68","ts":"2026-07-18 23:00:45.000000","proto":"tcp","src_port":3134,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 611, \u0022payload_entropy\u0022: 5.543084229682462, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002287572137a7685473fc26f24a4d9a345e\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Mobile Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Mobile Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6eb08e2037ae4cb9fd2281d5542b09be4a4d55d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8 Pro) Ap\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":611},{"id":12790044,"ip":"185.196.110.68","ts":"2026-07-18 16:32:52.000000","proto":"tcp","src_port":38882,"dst_port":8065,"service":"mattermost","classification":"coap_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1733, \u0022payload_entropy\u0022: 7.728196997509948, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%\u0022, \u0022confidence\u0022: 0.51, \u0022classification_confidence\u0022: 0.51, \u0022precision_score\u0022: 60, \u0022precision_signals\u0022: [\u0022pat-0798\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0798\u0022], \u0022matched_patterns\u0022: [\u0022pat-0798\u0022, \u0022pat-0556\u0022, \u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Sigma CoAP GET\u0022, \u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0798\u0022, \u0022pat-0556\u0022, \u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 51.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022527da30c155bf56be96e44ce1f277a45\u0022, \u0022path_pattern_hash\u0022: \u00222bc9f93b3f58e74e96efca118403941c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 44}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\\u001a\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.\\u001dg\\f\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\u0011\\\u0022\\u0019X\ufffd3\ufffd\\u0019c\ufffdm\ufffdh\\u0012\ufffd\ufffdP[\ufffda\ufffd\\u0007\ufffdBt\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006SJJ\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\\u001a\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.\\u001dg\\f\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\u0011\\\u0022\\u0019X\ufffd3\ufffd\\u0019c\ufffdm\ufffdh\\u0012\ufffd\ufffdP[\ufffda\ufffd\\u0007\ufffdBt\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006SJJ\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\\u0004\\u0001\\u0005\\u0003\\b\\u0005\\u0005\\u0001\\b\\u0006\\u0006\\u0001\\u0000\\u0017\\u0000\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000#\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\\u0000\\u0011\ufffd\\u0004\ufffd9\ufffd.\\u0000\ufffd\ufffd\ufffdYi\ufffd*_\ufffd@\\u0001%\ufffd~?\\u0010,N%\ufffd\u003E\ufffdZ\ufffd!\ufffd\\b\\u001c}\\u0012w\ufffd(+cS\ufffdE\ufffd\ufffd\\u001f\ufffd\u003E\\u0005C\ufffd\\u0010\ufffd(\ufffd\ufffdO5\ufffd\\u001dD\ufffd\ufffd0\ufffd$p\ufffd\ufffd\\u001f\ufffdA\\u0011\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\\u001a\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.\\u001dg\\f\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\u0011\\\u0022\\u0019X\ufffd3\ufffd\\u0019c\ufffdm\ufffdh\\u0012\ufffd\ufffdP[\ufffda\ufffd\\u0007\ufffdBt\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006SJJ\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fcd38f7626bbca3850f734e02fcb04a3fcd00d8c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\\u001a\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.\\u001dg\\f\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\u0011\\\u0022\\u0019X\ufffd3\ufffd\\u0019c\ufffdm\ufffdh\\u0012\ufffd\ufffdP[\ufffda\ufffd\\u0007\ufffdBt\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006SJJ\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.g\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\\u0022X\ufffd3\ufffdc\ufffdm\ufffdh\ufffd\ufffdP[\ufffda\ufffd\ufffdBt\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5SJJ\u0022, \u0022attack_vector\u0022: \u0022coap probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 51 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 51, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0798\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0798\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\\u001a\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.\\u001dg\\f\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\u0011\\\u0022\\u0019X\ufffd3\ufffd\\u0019c\ufffdm\ufffdh\\u0012\ufffd\ufffdP[\ufffda\ufffd\\u0007\ufffdBt\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006SJJ\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022coap probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdT*x\ufffd\ufffdQ\\\\\ufffd}s\ufffd\ufffd\ufffd\ufffd\u0026\ufffdh\ufffd.g\ufffd\ufffd\\t \ufffd\ufffdDz\ufffd\\\u0022X\ufffd3\ufffdc\ufffdm\ufffdh\ufffd\ufffdP[\ufffda\ufffd\ufffdBt\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5SJJ\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 51 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 51 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1733},{"id":12790040,"ip":"185.196.110.68","ts":"2026-07-18 16:32:47.000000","proto":"tcp","src_port":38860,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1765, \u0022payload_entropy\u0022: 7.781106969534458, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ce847dfffe3a035ecc32f9818e3a9f75\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\\frE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\\u0010\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\\u0005\ufffd\ufffdk\ufffdi\ufffd\ufffd \\f\\u0011\ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\u001f\\r\ufffd\ufffd\ufffd4\ufffd\\u0013%\ufffd\\t,\ufffd\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\ufffd\ufffd\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\\frE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\\u0010\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\\u0005\ufffd\ufffdk\ufffdi\ufffd\ufffd \\f\\u0011\ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\u001f\\r\ufffd\ufffd\ufffd4\ufffd\\u0013%\ufffd\\t,\ufffd\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\ufffd\ufffd\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\\u0000\\u0011\ufffd\\u0004\ufffd%\ufffd\ufffd\ufffd\ufffd\\t1\ufffd|8 c\\u00147c\ufffdf\ufffd\ufffd\ufffd\\u0012f(;H\ufffd\\u001e\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\\u001e\ufffd\\u001c\ufffd\ufffd\\u0001\\u0018-\\u0002\ufffd\ufffd)\ufffd{5\ufffd\ufffd\u0027E\ufffd\ufffd\\u001f\ufffd,j\ufffd\u05eeICG\ufffd\ufffd\\u001cO\\tE;C\/hp\ufffd\ufffd\\u0014\\u0017\ufffdH\ufffd*\ufffd\u03ba\ufffdqT\ufffdw\ufffd\\u0003\ufffd\ufffd\u057b\ufffd;\ufffdIe\ufffdU\ufffd\\u0017f1l\ufffd\ufffd\\u0003\ufffdSr\\\u0022\ufffd=Z\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\\frE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\\u0010\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\\u0005\ufffd\ufffdk\ufffdi\ufffd\ufffd \\f\\u0011\ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\u001f\\r\ufffd\ufffd\ufffd4\ufffd\\u0013%\ufffd\\t,\ufffd\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\ufffd\ufffd\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286cd92bd88f24c687ec0676ac02c1587dff758f6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\\frE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\\u0010\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\\u0005\ufffd\ufffdk\ufffdi\ufffd\ufffd \\f\\u0011\ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\u001f\\r\ufffd\ufffd\ufffd4\ufffd\\u0013%\ufffd\\t,\ufffd\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\ufffd\ufffd\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdrE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffdk\ufffdi\ufffd\ufffd \ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\r\ufffd\ufffd\ufffd4\ufffd%\ufffd\\t,\ufffd\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5s\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\\frE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\\u0010\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\\u0005\ufffd\ufffdk\ufffdi\ufffd\ufffd \\f\\u0011\ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\u001f\\r\ufffd\ufffd\ufffd4\ufffd\\u0013%\ufffd\\t,\ufffd\ufffd\\u0000 ::\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0006s\ufffd\ufffd\\u0000\\u0000\\u00003\\u0004\ufffd\\u0004\ufffd\ufffd\ufffd\\u0000\\u0001\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdrE\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\ufffd1Eb\ufffdtV\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffdk\ufffdi\ufffd\ufffd \ufffdSKU\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\/qT\\r\ufffd\ufffd\ufffd4\ufffd%\ufffd\\t,\ufffd\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5s\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1765},{"id":12790043,"ip":"185.196.110.68","ts":"2026-07-18 16:32:47.000000","proto":"tcp","src_port":38872,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226d4ba4881130c39cc92ae0815ff5009492d4f416\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209ae6696928d55aedd1027153c348ee7188c1159\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":12769508,"ip":"185.196.110.68","ts":"2026-07-18 11:09:15.000000","proto":"tcp","src_port":46950,"dst_port":8065,"service":"mattermost","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.7601614298428734, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0556\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0556\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222c7f5daf9003896c2c1ca537dd187159\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\\f\\u0002\ufffd\u0027\\u001b\\u0000\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\\u0012\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\\u0005\ufffd\ufffd\ufffd\ufffd\\u0003\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd`\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\\f\\u0002\ufffd\u0027\\u001b\\u0000\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\\u0012\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\\u0005\ufffd\ufffd\ufffd\ufffd\\u0003\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd`\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\ufffd\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\r\\u0000\\u0012\\u0000\\u0010\\u0004\\u0003\\b\\u0004\\u0004\\u0001\\u0005\\u0003\\b\\u0005\\u0005\\u0001\\b\\u0006\\u0006\\u0001\\u0000\\u0012\\u0000\\u0000\\u00003\\u0000+\\u0000)\ufffd\ufffd\\u0000\\u0001\\u0000\\u0000\\u001d\\u0000 \ufffd@X\ufffd\ufffdS\ufffd3D9\u03ba\\u0007~\ufffdv\ufffdnC.\ufffdJ\ufffd$58\ufffdn\ufffd\ufffd\\u001d\\u0000-\\u0000\\u0002\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\\f\\u0002\ufffd\u0027\\u001b\\u0000\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\\u0012\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\\u0005\ufffd\ufffd\ufffd\ufffd\\u0003\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd`\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224a7862994ff41822f1e537a9e0cd1f4f75f46cf0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\\f\\u0002\ufffd\u0027\\u001b\\u0000\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\\u0012\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\\u0005\ufffd\ufffd\ufffd\ufffd\\u0003\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd`\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\u0027\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd` \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0556\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0556\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\\f\\u0002\ufffd\u0027\\u001b\\u0000\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\\u0012\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\\u0005\ufffd\ufffd\ufffd\ufffd\\u0003\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd`\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\u0027\ufffdM\ufffdk\ufffd\ufffd\ufffdNG\ufffd\ufffd\ufffd\ufffdj\ufffd) (\ufffd \\nf\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\n@\ufffd\u008f\ufffdh\ufffd0\ufffd\ufffd` \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":12769487,"ip":"185.196.110.68","ts":"2026-07-18 11:08:51.000000","proto":"tcp","src_port":14032,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 583, \u0022payload_entropy\u0022: 5.568318207814511, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242d326e7a128f3e2655af6e0a1600b0c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/w\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/w\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c99b1e677b72ad704f0d46da6bb1b6fde358208c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":583},{"id":12769482,"ip":"185.196.110.68","ts":"2026-07-18 11:08:40.000000","proto":"tcp","src_port":15878,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 615, \u0022payload_entropy\u0022: 5.562454480729503, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228e80d63f1e85a47e2b3d260483c5e9ac\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36 Edg\/135.0.0.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36 Edg\/135.0.0.0\\r\\nAccept: text\/html,application\/xhtml+xml,applicat\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc6e132ffd623f22cc7a63fe89d892b64bcf8972\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":615},{"id":12705729,"ip":"185.196.110.68","ts":"2026-07-18 00:48:53.000000","proto":"tcp","src_port":34894,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1701, \u0022payload_entropy\u0022: 7.7294309743563545, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bb092a5adabb3b2518a55902409c02ce\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffd\\u0001kv\ufffd\ufffd\\u0013r\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\\u0002\ufffd\\u0012\u0a69\ufffd\ufffd\ufffd\\u0007\ufffdg7\ufffd\ufffd{^h\ufffd\\u0010\\r\ufffdT\ufffd\ufffd\ufffd\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u00063\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000-\\u0000\\u0002\\u0001\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffd\\u0001kv\ufffd\ufffd\\u0013r\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\\u0002\ufffd\\u0012\u0a69\ufffd\ufffd\ufffd\\u0007\ufffdg7\ufffd\ufffd{^h\ufffd\\u0010\\r\ufffdT\ufffd\ufffd\ufffd\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u00063\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000-\\u0000\\u0002\\u0001\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd**\\u0000\\u0001\\u0000\\u0011\ufffd\\u0004\ufffd\\u00001G\ufffd(\\u00041U\ufffdoQ\ufffd\ufffd\\u001ci#cx\ufffd\\u0005\\u0004\ufffd\ufffdj\\u0004kJO\ufffd2\ufffd\ufffdyg\ufffd\ufffd\u0027\\u0014\\f\\u0018\ufffd`x\ufffd\u02647?}\ufffdT\ufffd \ufffd\ufffdV\ufffd\ufffd\ufffd!\ufffd\\u0005c\u0155\ufffd\ufffd3\ufffd\u0598E\ufffd1-S\ufffd\ufffd\ufffdCV\\u0001\ufffd\\u0000q\\u0016\\u000f\ufffd\ufffd\\u001e\ufffd\ufffd9\ufffd\\u0018q\\u001aQ\ufffd.T\\u0012\ufffdN\ufffd\\u001b!\ufffdF9X\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffd\\u0001kv\ufffd\ufffd\\u0013r\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\\u0002\ufffd\\u0012\u0a69\ufffd\ufffd\ufffd\\u0007\ufffdg7\ufffd\ufffd{^h\ufffd\\u0010\\r\ufffdT\ufffd\ufffd\ufffd\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u00063\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000-\\u0000\\u0002\\u0001\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022870127d2da68056de7e839ac97a52066762e538e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffd\\u0001kv\ufffd\ufffd\\u0013r\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\\u0002\ufffd\\u0012\u0a69\ufffd\ufffd\ufffd\\u0007\ufffdg7\ufffd\ufffd{^h\ufffd\\u0010\\r\ufffdT\ufffd\ufffd\ufffd\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u00063\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000-\\u0000\\u0002\\u0001\\u0001\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffdkv\ufffd\ufffdr\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\ufffd\u0a69\ufffd\ufffd\ufffd\ufffdg7\ufffd\ufffd{^h\ufffd\\r\ufffdT\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/53\ufffd\ufffd-\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0006\ufffd\\u0001\\u0000\\u0006\ufffd\\u0003\\u0003\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffd\\u0001kv\ufffd\ufffd\\u0013r\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\\u0002\ufffd\\u0012\u0a69\ufffd\ufffd\ufffd\\u0007\ufffdg7\ufffd\ufffd{^h\ufffd\\u0010\\r\ufffdT\ufffd\ufffd\ufffd\\u0000 \ufffd\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\u0013\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\\u0001\\u0000\\u00063\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000-\\u0000\\u0002\\u0001\\u0001\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdz\ufffdc\ufffd;n\ufffd\ufffd4R\ufffdkv\ufffd\ufffdr\ufffd\/\ufffdL\\\\i\ufffd\u040bf\ufffdlB N\ufffd\ufffdq\ufffd[\ufffd\u0a69\ufffd\ufffd\ufffd\ufffdg7\ufffd\ufffd{^h\ufffd\\r\ufffdT\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/53\ufffd\ufffd-\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":1701},{"id":12705719,"ip":"185.196.110.68","ts":"2026-07-18 00:48:42.000000","proto":"tcp","src_port":62686,"dst_port":8065,"service":"mattermost","classification":"mattermost_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 3.9520640791132933, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002222a65a16457b2f9a4dcc124170aca506a5c34887\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225a445f406b46d1d215ccbcfc41480631\u0022, \u0022path_pattern_hash\u0022: \u002287c91dbadfbde7bdb583344421d1d34e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\ufffd\ufffds\\u001a\\u001f\\u001d@\ufffd\ufffd\\u0017\ufffd\ufffd\\u0000a\ufffd\\f\\u0019) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\\u001d\ufffdq\ufffdg\ufffd\\u001c\ufffd\\u0017\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000*zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\ufffd\ufffds\\u001a\\u001f\\u001d@\ufffd\ufffd\\u0017\ufffd\ufffd\\u0000a\ufffd\\f\\u0019) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\\u001d\ufffdq\ufffdg\ufffd\\u001c\ufffd\\u0017\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000*zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\f\\u0000\\n**\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\r\\u0000\\u0018\\u0000\\u0016\\u0004\\u0003\\b\\u0004\\u0004\\u0001\\u0005\\u0003\\u0002\\u0003\\b\\u0005\\b\\u0005\\u0005\\u0001\\b\\u0006\\u0006\\u0001\\u0002\\u0001\\u0000\\u0012\\u0000\\u0000\\u00003\\u0000+\\u0000)**\\u0000\\u0001\\u0000\\u0000\\u001d\\u0000 C\ufffd\ufffd\u0027\ufffd\ufffd\ufffd\ufffd7\\u0002+~\ufffd\ufffd!\ufffd9\u03db\ufffd-\ufffdB\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\ufffd\ufffds\\u001a\\u001f\\u001d@\ufffd\ufffd\\u0017\ufffd\ufffd\\u0000a\ufffd\\f\\u0019) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\\u001d\ufffdq\ufffdg\ufffd\\u001c\ufffd\\u0017\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000*zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022492121f9579f707a10b0c30faacb1aeda1cf34ef\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\ufffd\ufffds\\u001a\\u001f\\u001d@\ufffd\ufffd\\u0017\ufffd\ufffd\\u0000a\ufffd\\f\\u0019) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\\u001d\ufffdq\ufffdg\ufffd\\u001c\ufffd\\u0017\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000*zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds@\ufffd\ufffd\ufffd\ufffda\ufffd) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\ufffdq\ufffdg\ufffd\ufffd\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd*zz\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\ufffd\ufffd\ufffd5\/\ufffd\ufffd\\n\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mattermost_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd\ufffd\ufffds\\u001a\\u001f\\u001d@\ufffd\ufffd\\u0017\ufffd\ufffd\\u0000a\ufffd\\f\\u0019) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\\u001d\ufffdq\ufffdg\ufffd\\u001c\ufffd\\u0017\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000*zz\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u0000\ufffd\\u0000\ufffd\\u00005\\u0000\/\ufffd\\b\ufffd\\u0012\\u0000\\n\\u0001\\u0000\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022mattermost probe \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd3D\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds@\ufffd\ufffd\ufffd\ufffda\ufffd) \\\\;\ufffd\ufffd-}t\ufffd\ufffd.\ufffdq\ufffdg\ufffd\ufffd\ufffdN\ufffd7\ufffd\u02a6Y\ufffd\ufffd\ufffd\ufffd\ufffd*zz\ufffd,\ufffd+\u0329\ufffd0\ufffd\/\u0328\ufffd\\n\ufffd\\t\ufffd\ufffd\ufffd\ufffd5\/\ufffd\ufffd\\n\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mattermost_emulated\u0022, \u0022net_mattermost_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":12705706,"ip":"185.196.110.68","ts":"2026-07-18 00:48:36.000000","proto":"tcp","src_port":62670,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 411, \u0022payload_entropy\u0022: 5.425455084191482, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224cc017072399243e3434288c7de3318a\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\\r\\nAccept-Encoding: gzip, def\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\\r\\nAccept-Encoding: gzip, def\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f4d956b955d0c72500cdbf3214219fdba60381b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v4\/teams HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":411},{"id":12705694,"ip":"185.196.110.68","ts":"2026-07-18 00:48:23.000000","proto":"tcp","src_port":30824,"dst_port":8065,"service":"mattermost","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d61747465726d6f737420726561647920706f72743d383036350d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 601, \u0022payload_entropy\u0022: 5.56022624102517, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022service\u0022: \u0022mattermost\u0022, \u0022app_proto\u0022: \u0022mattermost\u0022, \u0022asn\u0022: 42366, \u0022country\u0022: \u0022DE\u0022, \u0022dst_port\u0022: 8065, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfb9202dfc0de4b93006794ca23bbee8bdcc7642\u0022, \u0022event_fingerprint\u0022: \u002222e3bf08f79bcae7110287ee11d62a54a4cd4754\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022DE\u0022, \u0022asn\u0022: 42366, \u0022org\u0022: \u0022TerraTransit AG\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e68a7d61b8ab2d1c62205c56428f3271\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022945ac3b7c45b82bd8482eb22bbc59205c303c82c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022dst_port\u0022: 8065, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022port\u0022: 8065, \u0022service\u0022: \u0022mattermost\u0022, \u0022service_label_fr\u0022: \u0022Mattermost (chat d\u0027\u00e9quipe)\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via Mattermost (chat d\u0027\u00e9quipe):8065 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/channels.list?count=100 HTTP\/1.1\\r\\nHost: 62.3.50.33:8065\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u0022, \u0022target_port_label\u0022: \u00228065 \u00b7 Mattermost (chat d\u0027\u00e9quipe)\u0022, \u0022emulator_service\u0022: \u0022mattermost\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mattermost\u0022, \u0022service_banner\u0022: \u0022honeypot-mattermost\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228065\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mattermost_api_probe\u0022, \u0022mattermost_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_mattermost_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":601}],"total_events":17}