{"ip":"186.167.113.69","exported_at":"2026-06-20T23:08:52+00:00","period_days":30,"metrics":{"events7d":62,"distinct_ports":3,"distinct_classifications":4,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":35,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["database_scan"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":56,"behavior":0,"geo":0,"protocol":36,"novelty":10},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":62,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":56,"behavior":0,"geo":0,"protocol":36,"novelty":10,"risk_score":35,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0519","Upstream"],"tags_summary":["pat-0519","INT-upstream"],"attack_vector":"mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)","protocol_details":{"mssql_tds_fr":"Connexion TDS Microsoft SQL Server","payload_preview":"\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u0000\ufffd2\u0000\u0000","port":1433,"service":"mssql","service_label_fr":"MSSQL"},"protocol_summary_fr":"Payload \u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u0000\ufffd2 \u00b7 MSSQL:1433","evidence_snippet":")\ufffdU\ufffd2","target_port_label":"1433 \u00b7 MSSQL","emulator_service":"mssql","confidence_reason":"Confiance 95 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%","classification_reason_label_fr":"Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":")\ufffdU\ufffd2"},"events":[{"id":9783546,"ip":"186.167.113.69","ts":"2026-06-20 19:11:12.000000","proto":"tcp","src_port":64911,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.824666483818309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002279f73a4ed1b66545f875d516589067b9\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209870c976cd5f57f3cd8f0399cc8ce74365deacc\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9783543,"ip":"186.167.113.69","ts":"2026-06-20 19:11:07.000000","proto":"tcp","src_port":63717,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.824666483818309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002279f73a4ed1b66545f875d516589067b9\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209870c976cd5f57f3cd8f0399cc8ce74365deacc\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9783541,"ip":"186.167.113.69","ts":"2026-06-20 19:11:02.000000","proto":"tcp","src_port":62571,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.824666483818309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002279f73a4ed1b66545f875d516589067b9\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209870c976cd5f57f3cd8f0399cc8ce74365deacc\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000\ufffd2\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdU\ufffd2\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9783539,"ip":"186.167.113.69","ts":"2026-06-20 19:11:00.000000","proto":"tcp","src_port":62253,"dst_port":1433,"service":"mssql","classification":"mssql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221a5b2fa475f95e8d817d64405cb3644e25f7ec32\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.08, \u0022classification_confidence\u0022: 0.08, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00226d4ca317e1154f7afb07772c79279a04\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226b7a6df5d89ce56b26b7300a9dcbd23c6a4f162\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 8, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 21, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022net_mssql_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022net_mssql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9783408,"ip":"186.167.113.69","ts":"2026-06-20 19:07:04.000000","proto":"tcp","src_port":50490,"dst_port":445,"service":"smb","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002200000048\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 3.701137069879752, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022smb\u0022, \u0022app_proto\u0022: \u0022smb\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 445, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290eadff6383eb9d1d8f3257adde4c79c467b3287\u0022, \u0022event_fingerprint\u0022: \u0022c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cb970f018306412ae8aedb1d637f4198\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bdce039df2a4db5c03b9bfd1aaafea1b8a5a4d88\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022evidence_snippet\u0022: \u0022T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022, \u0022dst_port\u0022: 445, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-smb\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022smb\u0022, \u0022service_banner\u0022: \u0022honeypot-smb\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022445\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":88},{"id":9783405,"ip":"186.167.113.69","ts":"2026-06-20 19:06:59.000000","proto":"tcp","src_port":49775,"dst_port":445,"service":"smb","classification":"smb_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022smb\u0022, \u0022app_proto\u0022: \u0022smb\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 445, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290eadff6383eb9d1d8f3257adde4c79c467b3287\u0022, \u0022event_fingerprint\u0022: \u0022c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022b6c073dc229e6284b4cae7886c46d504\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef65a26a218aa90e71bfdd5be23cdac9a07fef86\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 21, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022, \u0022dst_port\u0022: 445, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-smb\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022smb\u0022, \u0022service_banner\u0022: \u0022honeypot-smb\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022445\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9323959,"ip":"186.167.113.69","ts":"2026-06-15 23:11:30.000000","proto":"tcp","src_port":55193,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323953,"ip":"186.167.113.69","ts":"2026-06-15 23:11:25.000000","proto":"tcp","src_port":54204,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323944,"ip":"186.167.113.69","ts":"2026-06-15 23:11:20.000000","proto":"tcp","src_port":52987,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323942,"ip":"186.167.113.69","ts":"2026-06-15 23:11:15.000000","proto":"tcp","src_port":52207,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323939,"ip":"186.167.113.69","ts":"2026-06-15 23:11:10.000000","proto":"tcp","src_port":51123,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323935,"ip":"186.167.113.69","ts":"2026-06-15 23:11:05.000000","proto":"tcp","src_port":50026,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323933,"ip":"186.167.113.69","ts":"2026-06-15 23:11:00.000000","proto":"tcp","src_port":36779,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323925,"ip":"186.167.113.69","ts":"2026-06-15 23:10:54.000000","proto":"tcp","src_port":36306,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323921,"ip":"186.167.113.69","ts":"2026-06-15 23:10:49.000000","proto":"tcp","src_port":35641,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323918,"ip":"186.167.113.69","ts":"2026-06-15 23:10:44.000000","proto":"tcp","src_port":34753,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323914,"ip":"186.167.113.69","ts":"2026-06-15 23:10:39.000000","proto":"tcp","src_port":61064,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323910,"ip":"186.167.113.69","ts":"2026-06-15 23:10:34.000000","proto":"tcp","src_port":32320,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323289,"ip":"186.167.113.69","ts":"2026-06-15 22:57:41.000000","proto":"tcp","src_port":63293,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323282,"ip":"186.167.113.69","ts":"2026-06-15 22:57:36.000000","proto":"tcp","src_port":62213,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323276,"ip":"186.167.113.69","ts":"2026-06-15 22:57:31.000000","proto":"tcp","src_port":61065,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323273,"ip":"186.167.113.69","ts":"2026-06-15 22:57:26.000000","proto":"tcp","src_port":59474,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323266,"ip":"186.167.113.69","ts":"2026-06-15 22:57:20.000000","proto":"tcp","src_port":58926,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323262,"ip":"186.167.113.69","ts":"2026-06-15 22:57:15.000000","proto":"tcp","src_port":58015,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323257,"ip":"186.167.113.69","ts":"2026-06-15 22:57:10.000000","proto":"tcp","src_port":56908,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323254,"ip":"186.167.113.69","ts":"2026-06-15 22:57:05.000000","proto":"tcp","src_port":55818,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323253,"ip":"186.167.113.69","ts":"2026-06-15 22:57:00.000000","proto":"tcp","src_port":54652,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323251,"ip":"186.167.113.69","ts":"2026-06-15 22:56:55.000000","proto":"tcp","src_port":53546,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323248,"ip":"186.167.113.69","ts":"2026-06-15 22:56:50.000000","proto":"tcp","src_port":52494,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323241,"ip":"186.167.113.69","ts":"2026-06-15 22:56:45.000000","proto":"tcp","src_port":51440,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323229,"ip":"186.167.113.69","ts":"2026-06-15 22:56:39.000000","proto":"tcp","src_port":50075,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323225,"ip":"186.167.113.69","ts":"2026-06-15 22:56:34.000000","proto":"tcp","src_port":65489,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323223,"ip":"186.167.113.69","ts":"2026-06-15 22:56:29.000000","proto":"tcp","src_port":64230,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323219,"ip":"186.167.113.69","ts":"2026-06-15 22:56:24.000000","proto":"tcp","src_port":63029,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323216,"ip":"186.167.113.69","ts":"2026-06-15 22:56:19.000000","proto":"tcp","src_port":24783,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323213,"ip":"186.167.113.69","ts":"2026-06-15 22:56:14.000000","proto":"tcp","src_port":23691,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323207,"ip":"186.167.113.69","ts":"2026-06-15 22:56:09.000000","proto":"tcp","src_port":22653,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323205,"ip":"186.167.113.69","ts":"2026-06-15 22:56:04.000000","proto":"tcp","src_port":21261,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323200,"ip":"186.167.113.69","ts":"2026-06-15 22:55:56.000000","proto":"tcp","src_port":52243,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323199,"ip":"186.167.113.69","ts":"2026-06-15 22:55:51.000000","proto":"tcp","src_port":50250,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323197,"ip":"186.167.113.69","ts":"2026-06-15 22:55:46.000000","proto":"tcp","src_port":48688,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323196,"ip":"186.167.113.69","ts":"2026-06-15 22:55:41.000000","proto":"tcp","src_port":53754,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323191,"ip":"186.167.113.69","ts":"2026-06-15 22:55:36.000000","proto":"tcp","src_port":45102,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323185,"ip":"186.167.113.69","ts":"2026-06-15 22:55:31.000000","proto":"tcp","src_port":43312,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323179,"ip":"186.167.113.69","ts":"2026-06-15 22:55:26.000000","proto":"tcp","src_port":41306,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323176,"ip":"186.167.113.69","ts":"2026-06-15 22:55:21.000000","proto":"tcp","src_port":39069,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323175,"ip":"186.167.113.69","ts":"2026-06-15 22:55:16.000000","proto":"tcp","src_port":36610,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323164,"ip":"186.167.113.69","ts":"2026-06-15 22:55:11.000000","proto":"tcp","src_port":33911,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323162,"ip":"186.167.113.69","ts":"2026-06-15 22:55:06.000000","proto":"tcp","src_port":30957,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116},{"id":9323159,"ip":"186.167.113.69","ts":"2026-06-15 22:55:01.000000","proto":"tcp","src_port":61536,"dst_port":135,"service":"msrpc","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 4.051188106860829, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 27717, \u0022country\u0022: \u0022VE\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224ca75bafedc497ca4fec409b1a394b80b467a571\u0022, \u0022event_fingerprint\u0022: \u0022ee04cb302187f8727d545b1eea4782a6fc19fb64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VE\u0022, \u0022asn\u0022: 27717, \u0022org\u0022: \u0022Corporacion Digitel C.A.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022112ffcc7a992ccd5f87914c8680869f7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b0fe4abcd721a5952f028fba3425e97c85689a74\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0000\\u000b\\u0003\\u0010\\u0000\\u0000\\u0000t\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\ufffd\\u0016\ufffd\\u0016\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000\\u0004]\ufffd\ufffd\ufffd\\u001c\ufffd\\u0011\ufffd\ufffd\\b\\u0000+\\u0010H`\\u0002\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\ufffd\ufffd\ufffd\ufffd`R\\u001b\\u0010\ufffd\ufffd\\u0000\ufffd\\u0000!4z\\u0000\\u0000\\u0000\\u0000,\\u001c\ufffdl\\u0012\ufffd@E\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`\ufffd\ufffd\ufffd\ufffd`R\ufffd\ufffd\ufffd!4z,\ufffdl\ufffd@E\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":116}],"total_events":62}