{"ip":"187.15.133.194","exported_at":"2026-07-18T22:24:55+00:00","period_days":30,"metrics":{"events7d":318,"distinct_ports":25,"distinct_classifications":9,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":48,"max_risk_score":null,"attack_stage":null,"threat_family":[],"recommended_action":null,"confidence":null,"risk_breakdown":[],"mitre_tactics":[]},"events":[{"id":12725216,"ip":"187.15.133.194","ts":"2026-07-18 05:33:07.000000","proto":"tcp","src_port":40408,"dst_port":7001,"service":"weblogic","classification":"weblogic_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022bytes_in\u0022: 5, \u0022payload_entropy\u0022: 2.321928094887362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022weblogic\u0022, \u0022app_proto\u0022: \u0022weblogic\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223209cb76d7a9ac3a6e65d8bcbb4694715e457ed2\u0022, \u0022event_fingerprint\u0022: \u00224ea7ffe7bc9ade2843b5e81016a496bfea35cfd6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022precision_score\u0022: 87, \u0022precision_signals\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022risk_confidence_factor\u0022: 77.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002287e8503fc1fa9337182ff6baaa9ea402\u0022, \u0022path_pattern_hash\u0022: \u0022a179ef516d6662010534ca5ee85ea8d3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022risk_score\u0022: 33}, \u0022payload_preview\u0022: \u0022GIOP\\n\u0022, \u0022request_sample\u0022: \u0022GIOP\\n\u0022, \u0022payload_snippet\u0022: \u0022GIOP\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GIOP\\n\u0022, \u0022payload_snippet\u0022: \u0022GIOP\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b3f1bdb0cccc6fa76ea5e02ad8f08d1f24affb8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022}, \u0022evidence_snippet\u0022: \u0022GIOP\u0022, \u0022attack_vector\u0022: \u0022weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 WEBLOGIC\u0022, \u0022emulator_service\u0022: \u0022weblogic\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Weblogic Console\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-weblogic\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022}, \u0022attack_vector\u0022: \u0022weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GIOP\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 WEBLOGIC\u0022, \u0022emulator_service\u0022: \u0022weblogic\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022weblogic\u0022, \u0022service_banner\u0022: \u0022honeypot-weblogic\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 24, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_weblogic_probe\u0022, \u0022weblogic_emulated\u0022]}"},{"id":12725215,"ip":"187.15.133.194","ts":"2026-07-18 05:33:06.000000","proto":"tcp","src_port":47056,"dst_port":7001,"service":"weblogic","classification":"weblogic_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022bytes_in\u0022: 76, \u0022payload_entropy\u0022: 4.529464436404715, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022weblogic\u0022, \u0022app_proto\u0022: \u0022weblogic\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223209cb76d7a9ac3a6e65d8bcbb4694715e457ed2\u0022, \u0022event_fingerprint\u0022: \u00224ea7ffe7bc9ade2843b5e81016a496bfea35cfd6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022precision_score\u0022: 87, \u0022precision_signals\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022risk_confidence_factor\u0022: 77.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226c24de847ea2758b7ab499e13cb3f9b3\u0022, \u0022path_pattern_hash\u0022: \u0022a179ef516d6662010534ca5ee85ea8d3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022risk_score\u0022: 33}, \u0022payload_preview\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f00ce6c0f65493bdb6e2540939c03fa7389037cf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022}, \u0022evidence_snippet\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022attack_vector\u0022: \u0022weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 WEBLOGIC\u0022, \u0022emulator_service\u0022: \u0022weblogic\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-weblogic_console\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Weblogic Console\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-weblogic\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022weblogic\u0022, \u0022service_label_fr\u0022: \u0022WEBLOGIC\u0022}, \u0022attack_vector\u0022: \u0022weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.2.1\\\\nAS:255\\\\nHL:19\\\\nMS:10000000\\\\nPU:t3:\/\/localhost:7001\\\\nLP:DOMAIN\\\\n\\\\n\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 WEBLOGIC\u0022, \u0022emulator_service\u0022: \u0022weblogic\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022weblogic\u0022, \u0022service_banner\u0022: \u0022honeypot-weblogic\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 24, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_weblogic_probe\u0022, \u0022weblogic_emulated\u0022]}"},{"id":12725214,"ip":"187.15.133.194","ts":"2026-07-18 05:33:04.000000","proto":"tcp","src_port":1818,"dst_port":7001,"service":"http","classification":"port_7001_tcp","waf_score":3,"waf_tags":"[\u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/index.html","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022html\u0022, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u002214fe4559026d4c5b5eb530ee70300c52d99e70d7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 89, \u0022payload_entropy\u0022: 4.984215808671972, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002214268ee52afd0b5291bd0e48cbec364c9992b576\u0022, \u0022event_fingerprint\u0022: \u0022cac7c15593907d2143f9e6831fc7b561af7347ca\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022a2c56fd294d0d8d91e9756fda0c81cfb\u0022, \u0022path_pattern_hash\u0022: \u0022213456c5dc963e03ec1f27600c46c954\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/index.html\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/index.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/index.html\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/index.html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f24a8f9ed277e2e9a5da51df326391ce5962cdd3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/index.html\u0022, \u0022request_line\u0022: \u0022GET \/index.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/index.html\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/index.html\u0022, \u0022request_line\u0022: \u0022GET \/index.html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/index.html\u0022, \u0022evidence_snippet\u0022: \u0022GET \/index.html HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725211,"ip":"187.15.133.194","ts":"2026-07-18 05:33:03.000000","proto":"tcp","src_port":6800,"dst_port":7001,"service":"http","classification":"lfi_path_traversal","waf_score":17,"waf_tags":"[\u0022950264:lfi-1\u0022, \u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/etc\/passwd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u0022b5cc3f676d00dd320d85ef41a5209fa0a99891ea\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 89, \u0022payload_entropy\u0022: 4.908788353366387, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 76.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 76.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022dc7e570db9c010dc90574d9011569e5ce6612cae\u0022, \u0022event_fingerprint\u0022: \u0022f344e6b627c949331b45f4c0866a55a5d25daa72\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 344, \u0022precision_signals\u0022: [\u0022MITRE-T1083\u0022, \u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022, \u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1083\u0022, \u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022, \u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 930160 etc passwd\u0022, \u0022MITRE T1083 file enum\u0022, \u0022LFI path \/etc\/passwd\u0022], \u0022pattern_ids\u0022: [\u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 76.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022b10ad0dcd870e572c798ddf16134b675\u0022, \u0022path_pattern_hash\u0022: \u002274acf31844532670be412c65b8251ee5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/etc\/passwd\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950264:lfi-1\u0022, \u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-1\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/etc\/passwd\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950264:lfi-1\u0022, \u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-1\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002232e3bf429b6bb85dce13ab1b390e8501831b088f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/etc\/passwd\u0022, \u0022request_line\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/etc\/passwd\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 76.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1083\u0022, \u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1083\u0022, \u0022pat-0716\u0022, \u0022pat-0802\u0022, \u0022pat-0137\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/etc\/passwd\u0022, \u0022request_line\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/etc\/passwd\u0022, \u0022evidence_snippet\u0022: \u0022GET \/etc\/passwd HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 76 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950264:lfi-1\u0022, \u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725210,"ip":"187.15.133.194","ts":"2026-07-18 05:33:01.000000","proto":"tcp","src_port":11493,"dst_port":7001,"service":"http","classification":"port_7001_tcp","waf_score":3,"waf_tags":"[\u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/xyzzy123nonexistent","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00228806a414d8e20a12dd95049c6e3e79c9ccea0894\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 98, \u0022payload_entropy\u0022: 4.987849840467882, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002214268ee52afd0b5291bd0e48cbec364c9992b576\u0022, \u0022event_fingerprint\u0022: \u002251441ea8a70fcd266b252ce238850ce0abeda9fa\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022be5405461ffcb810f2e4f29fc7b10c23\u0022, \u0022path_pattern_hash\u0022: \u00229065f39222d0eef25e94df9a5410440f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/xyzzy123nonexistent\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/xyzzy123nonexistent\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f48bad24e156d0fccab1107cd0778daccd0d9e7b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/xyzzy123nonexistent\u0022, \u0022request_line\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/xyzzy123nonexistent\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/xyzzy123nonexistent\u0022, \u0022request_line\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/xyzzy123nonexistent\u0022, \u0022evidence_snippet\u0022: \u0022GET \/xyzzy123nonexistent HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725208,"ip":"187.15.133.194","ts":"2026-07-18 05:33:00.000000","proto":"tcp","src_port":9169,"dst_port":7001,"service":"http","classification":"port_7001_tcp","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/ws_utc\/begin.do","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022do\u0022, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00227ed3cdd8446f34870607542f360362a65fec7572\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 94, \u0022payload_entropy\u0022: 4.997623863819755, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a419f9b22cb076200ba2abb21428f0da50046c1f\u0022, \u0022event_fingerprint\u0022: \u0022b8aba1e86d022a3610704402f922686cdd3b018f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u00227c3b4e862759d44b3d152bc6199bf2b5\u0022, \u0022path_pattern_hash\u0022: \u0022379831a3339bbfacffb13ab7c9588e0d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/ws_utc\/begin.do\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/ws_utc\/begin.do\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c593c255f5660b3a6ef9ccaea83f2664550a73e9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/ws_utc\/begin.do\u0022, \u0022request_line\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/ws_utc\/begin.do\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_7001_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/ws_utc\/begin.do\u0022, \u0022request_line\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 7001 tcp \u00b7 via HTTP:7001 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/ws_utc\/begin.do\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ws_utc\/begin.do HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}"},{"id":12725207,"ip":"187.15.133.194","ts":"2026-07-18 05:32:58.000000","proto":"tcp","src_port":28862,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/bea_wls_internal\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00226d299ba7710f14e2f9805c600e6fa48f4e3660e8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 96, \u0022payload_entropy\u0022: 5.013689689349748, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a419f9b22cb076200ba2abb21428f0da50046c1f\u0022, \u0022event_fingerprint\u0022: \u0022aa30c89c7f87ba0daaa0b64c4c55c6fd479d3285\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022b841073e3c3caa12ed3e56a1bf39cb8b\u0022, \u0022path_pattern_hash\u0022: \u0022717f23bb07baf9c07a18b2acf638d391\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/bea_wls_internal\/\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/bea_wls_internal\/\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3c7bdbe6b826f5f8d3ca64d0840dd6bced27985\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/bea_wls_internal\/\u0022, \u0022request_line\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/bea_wls_internal\/\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/bea_wls_internal\/\u0022, \u0022request_line\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/bea_wls_internal\/\u0022, \u0022evidence_snippet\u0022: \u0022GET \/bea_wls_internal\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 7, \u0022port_scan_ports_sample\u0022: [81, 199, 548, 1720, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725205,"ip":"187.15.133.194","ts":"2026-07-18 05:32:56.000000","proto":"tcp","src_port":22506,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/_async\/AsyncResponseService","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00225f607796f47a9c4deebf8fbd05129012563f96fa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 5.02609206894104, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a419f9b22cb076200ba2abb21428f0da50046c1f\u0022, \u0022event_fingerprint\u0022: \u0022b2624b0e4471fbbf800f6475da10222096755cc4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0179\u0022], \u0022matched_pattern_names\u0022: [\u0022CVE-2019-2725 WebLogic CVE-2019-2725\u0022], \u0022pattern_ids\u0022: [\u0022pat-0179\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022f46c83e962920586c0f27a7fc3db2558\u0022, \u0022path_pattern_hash\u0022: \u002201bc2c025b7f327650e4a8ec8490febd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bb765f4bafba41d20cfc6705facde5db73ecc7ca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/_async\/AsyncResponseService\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/_async\/AsyncResponseService\u0022, \u0022evidence_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725202,"ip":"187.15.133.194","ts":"2026-07-18 05:32:55.000000","proto":"tcp","src_port":5112,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/wls-wsat\/CoordinatorPortType","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u002299e47b274371fad76141ed1627f3bcdf29dce19a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 107, \u0022payload_entropy\u0022: 5.057474763414213, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229a13839e361d7a021b1792ac4f054c4cd3837a93\u0022, \u0022event_fingerprint\u0022: \u0022af8fe99e3af1262506b6c57904f48eff4e2bbd3c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0602\u0022], \u0022matched_pattern_names\u0022: [\u0022WebLogic wls-wsat\u0022], \u0022pattern_ids\u0022: [\u0022pat-0602\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022888a0551366fdb0e2c778f40b89466b9\u0022, \u0022path_pattern_hash\u0022: \u002216111671401e187b64b702a8ecb56bdf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002238b506daea38c8c8cc5e3f2a3b9ec1ba9d7e25c6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/wls-wsat\/CoordinatorPortType\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/wls-wsat\/CoordinatorPortType\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_weblogic_wls\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725201,"ip":"187.15.133.194","ts":"2026-07-18 05:32:53.000000","proto":"tcp","src_port":11142,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/console\/login\/LoginForm.jsp","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022jsp\u0022, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00225888115b723eebf74cff3715c1e79014c6b93e9b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 5.010663087588212, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00224e98a8ef52d488da384c3ec1b2d457267347ffcc\u0022, \u0022event_fingerprint\u0022: \u00220bcd546adc3e0517be88d49a165ab6f8019f83ae\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0857\u0022, \u0022pat-0601\u0022, \u0022pat-0741\u0022, \u0022pat-0248\u0022], \u0022matched_pattern_names\u0022: [\u0022ET WebLogic console\u0022, \u0022WebLogic console path\u0022, \u0022WebLogic cluster\u0022, \u0022Probe \/console\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0857\u0022, \u0022pat-0601\u0022, \u0022pat-0741\u0022, \u0022pat-0248\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u002235dc329ce3f6aab88c2a34aa8b61dbcc\u0022, \u0022path_pattern_hash\u0022: \u0022787be5555f9e6e61f95410bb9176809f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a249b8ed14ccb256413b17575441962a63d85092\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/console\/login\/LoginForm.jsp\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/console\/login\/LoginForm.jsp\u0022, \u0022evidence_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_console\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}"},{"id":12725198,"ip":"187.15.133.194","ts":"2026-07-18 05:32:52.000000","proto":"tcp","src_port":26709,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 79, \u0022payload_entropy\u0022: 4.808677786930841, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002276a34fae6cdf27dbce726d0e01d7bb35bd87f3e8\u0022, \u0022event_fingerprint\u0022: \u0022376abaf7e39dc177b1f8bb2aae32add1c2ac03cc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022b393ba726e0e8ede8aeb3584978e4511\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002276b3b090baa789989050428a498b948633c9c222\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725170,"ip":"187.15.133.194","ts":"2026-07-18 05:32:26.000000","proto":"tcp","src_port":23751,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/_async\/AsyncResponseService","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00225f607796f47a9c4deebf8fbd05129012563f96fa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 5.02609206894104, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a419f9b22cb076200ba2abb21428f0da50046c1f\u0022, \u0022event_fingerprint\u0022: \u0022b2624b0e4471fbbf800f6475da10222096755cc4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0179\u0022], \u0022matched_pattern_names\u0022: [\u0022CVE-2019-2725 WebLogic CVE-2019-2725\u0022], \u0022pattern_ids\u0022: [\u0022pat-0179\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022f46c83e962920586c0f27a7fc3db2558\u0022, \u0022path_pattern_hash\u0022: \u002201bc2c025b7f327650e4a8ec8490febd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bb765f4bafba41d20cfc6705facde5db73ecc7ca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/_async\/AsyncResponseService\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/_async\/AsyncResponseService\u0022, \u0022request_line\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/_async\/AsyncResponseService\u0022, \u0022evidence_snippet\u0022: \u0022GET \/_async\/AsyncResponseService HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725169,"ip":"187.15.133.194","ts":"2026-07-18 05:32:25.000000","proto":"tcp","src_port":8584,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/wls-wsat\/CoordinatorPortType","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u002299e47b274371fad76141ed1627f3bcdf29dce19a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 107, \u0022payload_entropy\u0022: 5.057474763414213, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229a13839e361d7a021b1792ac4f054c4cd3837a93\u0022, \u0022event_fingerprint\u0022: \u0022af8fe99e3af1262506b6c57904f48eff4e2bbd3c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0602\u0022], \u0022matched_pattern_names\u0022: [\u0022WebLogic wls-wsat\u0022], \u0022pattern_ids\u0022: [\u0022pat-0602\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u0022888a0551366fdb0e2c778f40b89466b9\u0022, \u0022path_pattern_hash\u0022: \u002216111671401e187b64b702a8ecb56bdf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002238b506daea38c8c8cc5e3f2a3b9ec1ba9d7e25c6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/wls-wsat\/CoordinatorPortType\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wls-wsat\/CoordinatorPortType\u0022, \u0022request_line\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/wls-wsat\/CoordinatorPortType\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wls-wsat\/CoordinatorPortType HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_weblogic_wls\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725168,"ip":"187.15.133.194","ts":"2026-07-18 05:32:24.000000","proto":"tcp","src_port":25430,"dst_port":7001,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/console\/login\/LoginForm.jsp","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043\u0022, \u0022emulator_response_len\u0022: 177, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022jsp\u0022, \u0022http_ua_hash\u0022: \u00224a8e5f52654f8f3be11e8c18e174fffc7fcda19e\u0022, \u0022http_host_hash\u0022: \u00221e75f7b986cff91f40ab57cbc92b6aed66f05c5b\u0022, \u0022http_target_hash\u0022: \u00225888115b723eebf74cff3715c1e79014c6b93e9b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 5.010663087588212, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 7001, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00224e98a8ef52d488da384c3ec1b2d457267347ffcc\u0022, \u0022event_fingerprint\u0022: \u00220bcd546adc3e0517be88d49a165ab6f8019f83ae\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0857\u0022, \u0022pat-0601\u0022, \u0022pat-0741\u0022, \u0022pat-0248\u0022], \u0022matched_pattern_names\u0022: [\u0022ET WebLogic console\u0022, \u0022WebLogic console path\u0022, \u0022WebLogic cluster\u0022, \u0022Probe \/console\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0857\u0022, \u0022pat-0601\u0022, \u0022pat-0741\u0022, \u0022pat-0248\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287da89131acc05cb861c80340d3d7610\u0022, \u0022payload_hash\u0022: \u002235dc329ce3f6aab88c2a34aa8b61dbcc\u0022, \u0022path_pattern_hash\u0022: \u0022787be5555f9e6e61f95410bb9176809f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a249b8ed14ccb256413b17575441962a63d85092\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/console\/login\/LoginForm.jsp\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/console\/login\/LoginForm.jsp\u0022, \u0022request_line\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022curl\/8.18.0\u0022, \u0022port\u0022: 7001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:7001 \u00b7 (reconnaissance) \u00b7 \u2192 \/console\/login\/LoginForm.jsp\u0022, \u0022evidence_snippet\u0022: \u0022GET \/console\/login\/LoginForm.jsp HTTP\/1.1\\r\\nHost: 62.3.50.33:7001\\r\\nUser-Agent: curl\/8.18.0\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00227001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 13, \u0022port_scan_ports_sample\u0022: [81, 111, 135, 199, 445, 548, 1025, 1720, 1723, 6001, 7001, 8080, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_probe_console\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}"},{"id":12725141,"ip":"187.15.133.194","ts":"2026-07-18 05:31:59.000000","proto":"tcp","src_port":47782,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225274ee84a9e8dfce0649a29ab6b87e779a782ba8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.654964750995319, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221952973b298753bacd8311ca7b61685d03229984\u0022, \u0022event_fingerprint\u0022: \u00221a73e52fcb0af206bdd873fdc276f059b19b837a\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c81ef5d77cdb942048fd9a9bbc6e7f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002284de652504b56efe8de0bfc43206a7087f4f121c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.44, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725142,"ip":"187.15.133.194","ts":"2026-07-18 05:31:59.000000","proto":"tcp","src_port":7434,"dst_port":81,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225274ee84a9e8dfce0649a29ab6b87e779a782ba8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.654964750995319, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c19c2f4ff3fb5468d74dc878620d95d99e047516\u0022, \u0022event_fingerprint\u0022: \u002271966f4e7329013dca27ba512562d6a0d100c0ea\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c81ef5d77cdb942048fd9a9bbc6e7f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002246b6c21bb6aee72c13bc42816e7f90e0cf302d87\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.43, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725143,"ip":"187.15.133.194","ts":"2026-07-18 05:31:59.000000","proto":"tcp","src_port":13606,"dst_port":199,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225274ee84a9e8dfce0649a29ab6b87e779a782ba8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.654964750995319, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 199, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c781537e1814856434ff01b22fc1bf0d1bfdd354\u0022, \u0022event_fingerprint\u0022: \u00229521c9a82939c8d82a6e4de472d0fd6bf9c73e00\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c81ef5d77cdb942048fd9a9bbc6e7f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220e6426ae637e7c591c90879da91347736fdb32b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 199, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022199\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.41, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725144,"ip":"187.15.133.194","ts":"2026-07-18 05:31:59.000000","proto":"tcp","src_port":51464,"dst_port":1720,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225274ee84a9e8dfce0649a29ab6b87e779a782ba8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.654964750995319, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1720, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223508f737fa4edc0eec52a0cfb4a57e74dd00d0de\u0022, \u0022event_fingerprint\u0022: \u0022ea58eea66a22312e866acfe278d640d1f8aac7f7\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c81ef5d77cdb942048fd9a9bbc6e7f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002283b076089514a0046d7cf20908a486188cf009df\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1720, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221720\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.41, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725145,"ip":"187.15.133.194","ts":"2026-07-18 05:31:59.000000","proto":"tcp","src_port":4015,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225274ee84a9e8dfce0649a29ab6b87e779a782ba8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 67, \u0022payload_entropy\u0022: 4.654964750995319, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002205c58c5f19ad288de9a49d67ac759a6d356e63bd\u0022, \u0022event_fingerprint\u0022: \u002280f2aa9a52b555c26e5706a111edbf5b4c7d378f\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c81ef5d77cdb942048fd9a9bbc6e7f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022345b9906e5780ebe962dc35e5942256a3e5435ac\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.4, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725130,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":640,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.0057587693095926, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c50df51aaaad5615ff8caf0e3d21c01c0efe7c05\u0022, \u0022event_fingerprint\u0022: \u0022cc6a30f113f8d9e6ef56552018adfd04a41a77dc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ef119654acaa9ddd31bb6b11d557d787\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222156d45a0666edd6fb36d667eb6175f5c54b36b7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(R\ufffd\ufffd\ufffd\ufffd35\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003R\ufffd\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0001\ufffd35\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(R\ufffd\ufffd\ufffd\ufffd35\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.61, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}"},{"id":12725131,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":779,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.1138243943587627, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c50df51aaaad5615ff8caf0e3d21c01c0efe7c05\u0022, \u0022event_fingerprint\u0022: \u0022cc6a30f113f8d9e6ef56552018adfd04a41a77dc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022249ed8eee1c2bca431337b23f0da8bfd\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002215e4e1254e0a33f372d2e63a24f0933b6ff039cd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(Z\ufffd\ufffd\ufffd\ufffdN\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006Z\ufffd\\u001a\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0004\ufffdN\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(Z\ufffd\ufffd\ufffd\ufffdN\ufffd\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.61, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}"},{"id":12725132,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":1000,"dst_port":1025,"service":"teradata","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220000000c0000000000000000\u0022, \u0022emulator_response_len\u0022: 12, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022teradata\u0022, \u0022app_proto\u0022: \u0022teradata\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1025, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ce63e0435125cbad53c3ad478c4501690cfa39b6\u0022, \u0022event_fingerprint\u0022: \u0022a85579a7a3e45f06afb902a019cc7327fde3a2f5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022teradata\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ccb74f2b059a88995e2c13f370275514\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1025, \u0022service\u0022: \u0022teradata\u0022, \u0022service_name\u0022: \u0022teradata\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221127b4cfd5b233b814de9108208e6f515e42b6dd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1025, \u0022service\u0022: \u0022teradata\u0022, \u0022service_label_fr\u0022: \u0022TERADATA\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(F\ufffd2\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via TERADATA:1025 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221025 \u00b7 TERADATA\u0022, \u0022emulator_service\u0022: \u0022teradata\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TERADATA \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022teradata\u0022, \u0022service_label_fr\u0022: \u0022TERADATA\u0022, \u0022dst_port\u0022: 1025, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-teradata\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(F\ufffd2\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1025, \u0022service\u0022: \u0022teradata\u0022, \u0022service_label_fr\u0022: \u0022TERADATA\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via TERADATA:1025 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(F\ufffd2\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221025 \u00b7 TERADATA\u0022, \u0022emulator_service\u0022: \u0022teradata\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022teradata\u0022, \u0022service_banner\u0022: \u0022honeypot-teradata\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221025\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 9, \u0022scan_velocity_ports_per_s\u0022: 1.81, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_teradata_probe\u0022, \u0022teradata_emulated\u0022, \u0022teradata_payload\u0022]}"},{"id":12725133,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":745,"dst_port":445,"service":"smb","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002200000048\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022smb\u0022, \u0022app_proto\u0022: \u0022smb\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 445, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224560951323ba5b3a6a7907c70c916357c8828769\u0022, \u0022event_fingerprint\u0022: \u0022c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c6d8648da51e54bedd26a884173e55eb\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af1c062d0c0a5ded6ceac4080002ec9731e3af4e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(:\ufffd@\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SMB \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022, \u0022dst_port\u0022: 445, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-smb\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(:\\u0016\ufffd@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(:\ufffd@\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022smb\u0022, \u0022service_banner\u0022: \u0022honeypot-smb\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022445\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 10, \u0022scan_velocity_ports_per_s\u0022: 2.01, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_bruteforce\u0022, \u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]}"},{"id":12725134,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":915,"dst_port":6001,"service":"x11","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742078313120726561647920706f72743d363030310d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022x11\u0022, \u0022app_proto\u0022: \u0022x11\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 6001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a57156e8ef1463662de16921041f4d7cce03333\u0022, \u0022event_fingerprint\u0022: \u002268d1dd076fb0197faf30ecf6b04beb0759fee0bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f3836379654812e48b25d82c62ad3f2f\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6001, \u0022service\u0022: \u0022x11\u0022, \u0022service_name\u0022: \u0022x11\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a8b17a098ebd49baedb9fb850e9ada3f748f39f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6001, \u0022service\u0022: \u0022x11\u0022, \u0022service_label_fr\u0022: \u0022X11\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd( J\\\\\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via X11:6001 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226001 \u00b7 X11\u0022, \u0022emulator_service\u0022: \u0022x11\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via X11 \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11\u0022, \u0022service_label_fr\u0022: \u0022X11\u0022, \u0022dst_port\u0022: 6001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000( J\\\\\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6001, \u0022service\u0022: \u0022x11\u0022, \u0022service_label_fr\u0022: \u0022X11\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via X11:6001 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd( J\\\\\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226001 \u00b7 X11\u0022, \u0022emulator_service\u0022: \u0022x11\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11\u0022, \u0022service_banner\u0022: \u0022honeypot-x11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 11, \u0022scan_velocity_ports_per_s\u0022: 2.21, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}"},{"id":12725135,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":786,"dst_port":135,"service":"msrpc","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a\u0022, \u0022emulator_response_len\u0022: 35, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022msrpc\u0022, \u0022app_proto\u0022: \u0022msrpc\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 135, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e8150bd3a3273a7f243736803d5c3834f10913be\u0022, \u0022event_fingerprint\u0022: \u00227121eff0ac90f78b66b61eb5b339241632ad42e0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022660b573881194d2d021d9e8d5470ace7\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d9ac31912c3ab0e0322ffb339e54419b2952d04\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(z\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MSRPC:135 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MSRPC \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022, \u0022dst_port\u0022: 135, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0014z\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 135, \u0022service\u0022: \u0022msrpc\u0022, \u0022service_label_fr\u0022: \u0022MSRPC\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via MSRPC:135 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(z\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022135 \u00b7 MSRPC\u0022, \u0022emulator_service\u0022: \u0022msrpc\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022msrpc\u0022, \u0022service_banner\u0022: \u0022honeypot-msrpc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022135\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.41, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725136,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":746,"dst_port":1723,"service":"pptp","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228632c0f3a4befa9502f68e1a5ec91935f80f98d1\u0022, \u0022event_fingerprint\u0022: \u0022904dec90409cdde746c8f5ac626df5ddf2796f9b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022163c6bf475bf2b383a08f33afee9360e\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224020c42322c0c71abe88696e11bfb9c671917e2c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(3tB\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via PPTP:1723 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via PPTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(3tB\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via PPTP:1723 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(3tB\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.41, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]}"},{"id":12725137,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":19951,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 3.461320140211008, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002205c58c5f19ad288de9a49d67ac759a6d356e63bd\u0022, \u0022event_fingerprint\u0022: \u002280f2aa9a52b555c26e5706a111edbf5b4c7d378f\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ec63b40bcbc26b71deda762dfd844f0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c678bbbbb221fad8612434ce5af0a6ae1198d551\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.4, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725138,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":647,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.1138243943587627, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c3e25cab9917244e5288b3322c2bce33c9505d78\u0022, \u0022event_fingerprint\u0022: \u00227890ff4d1c4cb9540f6f6ccebb3623a9e91cbbbd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220ecb4a8d12632075758d4eac427055e6\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022abbedd2698ec7d9342c150512a762743c17076f6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(p\ufffd\ufffd\ufffd\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0003p\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0007\\n\\u001a\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(p\ufffd\ufffd\ufffd\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.4, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725139,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":642,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.0683698489042173, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c3e25cab9917244e5288b3322c2bce33c9505d78\u0022, \u0022event_fingerprint\u0022: \u00227890ff4d1c4cb9540f6f6ccebb3623a9e91cbbbd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ed546dbdfa464899c307676ad848a5fc\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d8f65ade21ac3e291463bdcf107a8f353a43b004\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(\ufffd=\ufffd\ufffd\ufffd.hG\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0006\ufffd=\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0005.hG\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(\ufffd=\ufffd\ufffd\ufffd.hG\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.4, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725140,"ip":"187.15.133.194","ts":"2026-07-18 05:31:58.000000","proto":"tcp","src_port":882,"dst_port":548,"service":"afp","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002201040000000000000000000041465056657273696f6e20332e330d10000612000000\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022afp\u0022, \u0022app_proto\u0022: \u0022afp\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 548, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002266f5e9ebe6f0ac7ef886fec425432536b06ae217\u0022, \u0022event_fingerprint\u0022: \u002248f198e90269326e36107de80ad6deccecbf7a78\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 318, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022afp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002264f7162c8cbe9eef55a1c1bdcd1d61ad\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 548, \u0022service\u0022: \u0022afp\u0022, \u0022service_name\u0022: \u0022afp\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002252272e75d6bbe418e95454979b36dc17aea0bc35\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 548, \u0022service\u0022: \u0022afp\u0022, \u0022service_label_fr\u0022: \u0022AFP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd([d\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via AFP:548 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022548 \u00b7 AFP\u0022, \u0022emulator_service\u0022: \u0022afp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AFP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022afp\u0022, \u0022service_label_fr\u0022: \u0022AFP\u0022, \u0022dst_port\u0022: 548, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-afp\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\u0007[d\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 548, \u0022service\u0022: \u0022afp\u0022, \u0022service_label_fr\u0022: \u0022AFP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via AFP:548 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd([d\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022548 \u00b7 AFP\u0022, \u0022emulator_service\u0022: \u0022afp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022afp\u0022, \u0022service_banner\u0022: \u0022honeypot-afp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022548\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 12, \u0022scan_velocity_ports_per_s\u0022: 2.51, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022afp_emulated\u0022, \u0022afp_payload\u0022, \u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}"},{"id":12725128,"ip":"187.15.133.194","ts":"2026-07-18 05:31:56.000000","proto":"tcp","src_port":47758,"dst_port":8080,"service":"http","classification":"scanner_vuln","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/Nmap\/folder\/check1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u002252f07e08fde357a7f4b6e144985f039d8b76dc77\u0022, \u0022http_target_hash\u0022: \u002229aae09e6dcc04f134397e6ce1a6be68c49f9a76\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 5.241091275368707, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022244aeb3457260b8becfb01c5a8288c41144d3bc9\u0022, \u0022event_fingerprint\u0022: \u002290348e19e9284dd437cb833a630f7cfc6cc9e834\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022b4729141c1331044bd8879e137fbedfd\u0022, \u0022path_pattern_hash\u0022: \u0022d74ddfe4742de5ed194784edfb96af60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002294443ef900bd50b533c925b73de2c2f32eed1738\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.88, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}"},{"id":12725129,"ip":"187.15.133.194","ts":"2026-07-18 05:31:56.000000","proto":"tcp","src_port":854,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.7776134368191159, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c50df51aaaad5615ff8caf0e3d21c01c0efe7c05\u0022, \u0022event_fingerprint\u0022: \u0022cc6a30f113f8d9e6ef56552018adfd04a41a77dc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c40fae1fcc2f70ead1e5987a6041a416\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226d72ab9f2926cdf1aaef1f002bb504277e1a179\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(\\t\ufffd?V\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(\\t\ufffd?V\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(\\t\ufffd?V\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.88, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}"},{"id":12725114,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":1050,"dst_port":8888,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/NmapUpperCheck1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022df8342def44035bb0811f534eb102e9eef5615e1\u0022, \u0022http_target_hash\u0022: \u0022ea3c8605bd38eed70d8cede1c291d7fee6631625\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 208, \u0022payload_entropy\u0022: 5.215808511235892, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b3282692df2834ba30fc5caa3c2533845a71cd48\u0022, \u0022event_fingerprint\u0022: \u0022e48fcbe01853fa5d3bef1234a96c2b5c7e93c793\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022fe9d84c16810991e0ed6ea8fb4180f37\u0022, \u0022path_pattern_hash\u0022: \u00229cf048dcd0db3404a14c8d7099241dee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8b7c909c0dcfb8047a8ad5c09fdda91bd480e2e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8888 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8888 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.75, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725115,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":1854,"dst_port":81,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/NmapUpperCheck1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u00223f9d10f4878f3b807c4b03eb9bfacb2c8601632f\u0022, \u0022http_target_hash\u0022: \u0022ea3c8605bd38eed70d8cede1c291d7fee6631625\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 206, \u0022payload_entropy\u0022: 5.21243235238441, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002267fe9b83623439dff030f5db0a8dd1729a7738c9\u0022, \u0022event_fingerprint\u0022: \u0022ea776d0418c2c5be6e4adbc432096c2d57b653fc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u00227a146d5a43a32269aacf925feafbdaea\u0022, \u0022path_pattern_hash\u0022: \u00229cf048dcd0db3404a14c8d7099241dee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d23ecff62d0c82a107fe460d5bf9e52e514bdaf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.73, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725116,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":53619,"dst_port":1720,"service":"http","classification":"port_scan_syn","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/evox\/about","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u002287a118bc4f8adb1808cea1d662665bbefaafbcaf\u0022, \u0022http_target_hash\u0022: \u00229e931bb53b054c2fff95daa013fecdd4ca2a01a2\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 194, \u0022payload_entropy\u0022: 5.156657139436861, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1720, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022ff42e7281b45d1d95158b7b06938f3ea5e80a7ce\u0022, \u0022event_fingerprint\u0022: \u0022352bb29008b308eb655ec72e181819d9b7639942\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0255\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/evox\/about\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0255\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022120f4f2570a7a162d7023c0bbf1414ba\u0022, \u0022path_pattern_hash\u0022: \u00226c06e7a5a57aea56adce71b0743fb577\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (comp\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/evox\/about\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (comp\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/evox\/about\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (comp\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022120b1f470d2be3727bcbe8ba64613aa100c315ad\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/evox\/about\u0022, \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (comp\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance) \u00b7 \u2192 \/evox\/about\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1720, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/evox\/about\u0022, \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance) \u00b7 \u2192 \/evox\/about\u0022, \u0022evidence_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (comp\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221720\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.72, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}"},{"id":12725117,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":52837,"dst_port":1720,"service":"http","classification":"port_scan_syn","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/HNAP1","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u002287a118bc4f8adb1808cea1d662665bbefaafbcaf\u0022, \u0022http_target_hash\u0022: \u002292c22322858be108c9b5ebcfd6f2c3cb5ceee211\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 189, \u0022payload_entropy\u0022: 5.165823708932025, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1720, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a5697c8efd47cb0d8f75f9e56bafac486c24bbb1\u0022, \u0022event_fingerprint\u0022: \u00227dafdbdf1babff5c47a316c50d537b526037b3f2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022a7760b7b0d7ff2e11b5594ea442d5d26\u0022, \u0022path_pattern_hash\u0022: \u00226fce0d6d2998b47f09e54396e5a34d07\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatibl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatibl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatibl\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fec71780b5657eb5071ad97de8a75de2dc981c78\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatibl\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance) \u00b7 \u2192 \/HNAP1\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1720, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance) \u00b7 \u2192 \/HNAP1\u0022, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatibl\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221720\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.72, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022, \u0022scanner-ua\u0022]}"},{"id":12725118,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":50268,"dst_port":199,"service":"http","classification":"port_scan_syn","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/HNAP1","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022c594f73ad1ce8236237a9784f386fc92dc8c31a8\u0022, \u0022http_target_hash\u0022: \u002292c22322858be108c9b5ebcfd6f2c3cb5ceee211\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 188, \u0022payload_entropy\u0022: 5.160076885254946, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 199, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002288cb7d75b6f30b4d9e48344e68d4546132e148f2\u0022, \u0022event_fingerprint\u0022: \u00225ad7ca389dffebc96b301c303c47ae707431bcc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u002200a9de5a0b64c157d3b97549ff50e07a\u0022, \u0022path_pattern_hash\u0022: \u00226fce0d6d2998b47f09e54396e5a34d07\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022717ab86f9327dc51d6f9af3a2eae0a2771b548d5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance) \u00b7 \u2192 \/HNAP1\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 199, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance) \u00b7 \u2192 \/HNAP1\u0022, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022199\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.71, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022, \u0022scanner-ua\u0022]}"},{"id":12725119,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":8108,"dst_port":199,"service":"http","classification":"port_scan_syn","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/evox\/about","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022c594f73ad1ce8236237a9784f386fc92dc8c31a8\u0022, \u0022http_target_hash\u0022: \u00229e931bb53b054c2fff95daa013fecdd4ca2a01a2\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 193, \u0022payload_entropy\u0022: 5.150816007053635, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 199, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002264e4450163e4462a9a22fb4ba44ffe3ec0303e50\u0022, \u0022event_fingerprint\u0022: \u0022609ab42f55a36fa9e9203da8c948d730286aebdc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0255\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/evox\/about\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0255\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u002266eecce44162ed095e3acf941ba682be\u0022, \u0022path_pattern_hash\u0022: \u00226c06e7a5a57aea56adce71b0743fb577\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compa\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/evox\/about\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compa\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/evox\/about\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compa\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fcf1a3c2e6b149dd42838a2242ce6c9d7944fdc4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/evox\/about\u0022, \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compa\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance) \u00b7 \u2192 \/evox\/about\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 199, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/evox\/about\u0022, \u0022request_line\u0022: \u0022GET \/evox\/about HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance) \u00b7 \u2192 \/evox\/about\u0022, \u0022evidence_snippet\u0022: \u0022GET \/evox\/about HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compa\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022199\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.71, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}"},{"id":12725120,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":47746,"dst_port":8080,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/NmapUpperCheck1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u002252f07e08fde357a7f4b6e144985f039d8b76dc77\u0022, \u0022http_target_hash\u0022: \u0022ea3c8605bd38eed70d8cede1c291d7fee6631625\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 208, \u0022payload_entropy\u0022: 5.2230670449105405, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022973d8923003acbae0aa82479b53e1238c798b4d6\u0022, \u0022event_fingerprint\u0022: \u002296db8e09f07c507dd15fb13d8bb8176668528581\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022626492d62151159b7cd1f36fda022065\u0022, \u0022path_pattern_hash\u0022: \u00229cf048dcd0db3404a14c8d7099241dee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c98efbb9319b578eaa941906c9b27916295acd2c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/NmapUpperCheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/NmapUpperCheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/NmapUpperCheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8080\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.7, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725121,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":824,"dst_port":111,"service":"rpcbind","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a\u0022, \u0022emulator_response_len\u0022: 37, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.8230679822736615, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 111, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c50df51aaaad5615ff8caf0e3d21c01c0efe7c05\u0022, \u0022event_fingerprint\u0022: \u0022cc6a30f113f8d9e6ef56552018adfd04a41a77dc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bb44d60c223c3809f4b7cb40cfa7484e\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229b2adfd97bf4f11261b8b01a15d4628e222e4dc7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(B\ufffdr\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RPCBIND \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022, \u0022dst_port\u0022: 111, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(B\\u0011\ufffdr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 111, \u0022service\u0022: \u0022rpcbind\u0022, \u0022service_label_fr\u0022: \u0022RPCBIND\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via RPCBIND:111 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(B\ufffdr\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022111 \u00b7 RPCBIND\u0022, \u0022emulator_service\u0022: \u0022rpcbind\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rpcbind\u0022, \u0022service_banner\u0022: \u0022honeypot-rpcbind\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022111\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.69, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}"},{"id":12725124,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":38259,"dst_port":8888,"service":"http","classification":"scanner_vuln","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/Nmap\/folder\/check1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022df8342def44035bb0811f534eb102e9eef5615e1\u0022, \u0022http_target_hash\u0022: \u002229aae09e6dcc04f134397e6ce1a6be68c49f9a76\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 5.233935943594646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022bde0b4fdbbb586954811f2b26316f35176a7bda0\u0022, \u0022event_fingerprint\u0022: \u0022f04ee0098cf2636a0cbdcc4be6fa5815c3432ba4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022e2b46acfa36b9eadee6c3807a14d203b\u0022, \u0022path_pattern_hash\u0022: \u0022d74ddfe4742de5ed194784edfb96af60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d31d43a8c2e36b58755a57d8053fb90b9344fdba\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8888 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:8888 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nConnection: close\\r\\nUser-Agent:\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.97, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725125,"ip":"187.15.133.194","ts":"2026-07-18 05:31:55.000000","proto":"tcp","src_port":1533,"dst_port":81,"service":"http","classification":"scanner_vuln","waf_score":28,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/Nmap\/folder\/check1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u00223f9d10f4878f3b807c4b03eb9bfacb2c8601632f\u0022, \u0022http_target_hash\u0022: \u002229aae09e6dcc04f134397e6ce1a6be68c49f9a76\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 209, \u0022payload_entropy\u0022: 5.230583066573612, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022d63ab01dcc4f08dc61467dd9216c950adb0fcc51\u0022, \u0022event_fingerprint\u0022: \u0022d2eea910060b0152a36f871de6fc79ed65badd72\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022cd95758931d35ddac90eefe3e3b2f93e\u0022, \u0022path_pattern_hash\u0022: \u0022d74ddfe4742de5ed194784edfb96af60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c517b4155bdbccbf391e2344036d008f013122a9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Nmap\/folder\/check1784352718\u0022, \u0022request_line\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/Nmap\/folder\/check1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Nmap\/folder\/check1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 8, \u0022scan_velocity_ports_per_s\u0022: 1.94, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725097,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":43093,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":48,"waf_tags":"[\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"POST","http_target":"\/sdk","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022df8342def44035bb0811f534eb102e9eef5615e1\u0022, \u0022http_target_hash\u0022: \u00225e2a035222ca1432dd7a4c0062da7711ee276c61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 650, \u0022payload_entropy\u0022: 5.282456176509406, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 77, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a9edf7102c063c042b9a56b8ce12af2e8832e766\u0022, \u0022event_fingerprint\u0022: \u0022044c5d88fb789cabb4309883d24717947aefc841\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 77, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u00220c84863091b62cdb1dba23d38ffd4696\u0022, \u0022path_pattern_hash\u0022: \u0022b91a94364e548eac8280a672094b6c64\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 77}, \u0022payload_preview\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/sdk\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-19\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u003Csoap:Envelope xmlns:xsd=\\\u0022http:\/\/www.w3.org\/200\u0022, \u0022payload_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/sdk\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-19\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u003Csoap:Envelope xmlns:xsd=\\\u0022http:\/\/www.w3.org\/200\u0022, \u0022payload_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b92f122a53a59b865677b09cad01a5724d680fa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/sdk\u0022, \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance) \u00b7 \u2192 \/sdk\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 77\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 77, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 77, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/sdk\u0022, \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance) \u00b7 \u2192 \/sdk\u0022, \u0022evidence_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:8888\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mo\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_jwt_body\u0022, \u0022http_ssrf_body\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725098,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":26373,"dst_port":199,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 3.461320140211008, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 199, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a07359c200665fd7add17fabfe9779a8f087b469\u0022, \u0022event_fingerprint\u0022: \u0022ce401735047c79e55eacb1c06be224bc51320f5c\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ec63b40bcbc26b71deda762dfd844f0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226e6c836d61bb8bafd6eb82315767bcbb3ddc68cf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 199, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:199 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022199\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 3, \u0022scan_velocity_ports_per_s\u0022: 0.8, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022]}"},{"id":12725099,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":50699,"dst_port":81,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/nmaplowercheck1784352718","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u00223f9d10f4878f3b807c4b03eb9bfacb2c8601632f\u0022, \u0022http_target_hash\u0022: \u0022ba73cbd92abe96802829f778f8005d617bed6460\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 206, \u0022payload_entropy\u0022: 5.2029916728697305, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002267fe9b83623439dff030f5db0a8dd1729a7738c9\u0022, \u0022event_fingerprint\u0022: \u0022e5a327c946bac23dbec004b040f34070b2d983a7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u0022ee04a59b66a99bae1f05e6c3da1e325f\u0022, \u0022path_pattern_hash\u0022: \u0022cf6626d5ab4a66836aa7503955a08341\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002272cca0a83266f06cbcd4ec43c3fe0d9c9eb3615a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nConnection: close\\r\\nUser-Agent: Mozil\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 4, \u0022scan_velocity_ports_per_s\u0022: 1.06, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725100,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":46111,"dst_port":81,"service":"http","classification":"port_scan_syn","waf_score":48,"waf_tags":"[\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"POST","http_target":"\/sdk","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u00223f9d10f4878f3b807c4b03eb9bfacb2c8601632f\u0022, \u0022http_target_hash\u0022: \u00225e2a035222ca1432dd7a4c0062da7711ee276c61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 648, \u0022payload_entropy\u0022: 5.271108735971403, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b0eb79ddaff70a8662e8b1b5d957b57842b65f9e\u0022, \u0022event_fingerprint\u0022: \u00223bd20c458e6da8af13dfa8c2a8ec64794ce0b5c7\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u002213c516e06f7703ef1de5c499f0f6513c\u0022, \u0022path_pattern_hash\u0022: \u0022b91a94364e548eac8280a672094b6c64\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/sdk\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-19\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u003Csoap:Envelope xmlns:xsd=\\\u0022http:\/\/www.w3.org\/2001\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/sdk\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-19\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u003Csoap:Envelope xmlns:xsd=\\\u0022http:\/\/www.w3.org\/2001\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002273155d17ba1f23ed972aaca4453f7b1c5b898144\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/sdk\u0022, \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance) \u00b7 \u2192 \/sdk\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/sdk\u0022, \u0022request_line\u0022: \u0022POST \/sdk HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance) \u00b7 \u2192 \/sdk\u0022, \u0022evidence_snippet\u0022: \u0022POST \/sdk HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:81\\r\\nContent-Length: 441\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 4, \u0022scan_velocity_ports_per_s\u0022: 1.06, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950079:sqli-19\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_jwt_body\u0022, \u0022http_ssrf_body\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]}"},{"id":12725101,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":22826,"dst_port":199,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/nmaplowercheck1784352718","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u0022c594f73ad1ce8236237a9784f386fc92dc8c31a8\u0022, \u0022http_target_hash\u0022: \u0022ba73cbd92abe96802829f778f8005d617bed6460\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 207, \u0022payload_entropy\u0022: 5.225622530028717, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 199, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022c5fcbd9502a0674d01b705e8f7378361dd03fc86\u0022, \u0022event_fingerprint\u0022: \u0022d4c4f258616e019b4603d9c20c3854eae8824fac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u00220256d0ee6e310484b93ebc187eb40071\u0022, \u0022path_pattern_hash\u0022: \u0022cf6626d5ab4a66836aa7503955a08341\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222dbdf703c92af9132d92f744317087347b73291a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:199 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 199, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 199, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:199 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:199\\r\\nConnection: close\\r\\nUser-Agent: Mozi\u0022, \u0022target_port_label\u0022: \u0022199 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022199\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 4, \u0022scan_velocity_ports_per_s\u0022: 1.06, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}"},{"id":12725102,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":64468,"dst_port":1720,"service":"http","classification":"port_scan_syn","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 3.461320140211008, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1720, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222b7998c4ade4362021bbaf19219a9857622038d3\u0022, \u0022event_fingerprint\u0022: \u0022b0da2a9edddbb989ddc1033f6079605bf6efa436\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ec63b40bcbc26b71deda762dfd844f0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002221890f6f004d56bff401597c330f7362c8883f16\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1720, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:1720 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221720\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 5, \u0022scan_velocity_ports_per_s\u0022: 1.32, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022]}"},{"id":12725103,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":34842,"dst_port":1723,"service":"pptp","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 156, \u0022payload_entropy\u0022: 1.0185126797061423, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0448\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022UA nmap\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0448\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224dd04af3dcb43d86d479b61344c6ee22\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000nmap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000nmap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000nmap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fbe7bccd2ad2e1096217ff77f84a57df6591ce0b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000nmap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnonenmap\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via PPTP:1723 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via PPTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000nmap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via PPTP:1723 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnonenmap\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 6, \u0022scan_velocity_ports_per_s\u0022: 1.58, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]}"},{"id":12725104,"ip":"187.15.133.194","ts":"2026-07-18 05:31:54.000000","proto":"tcp","src_port":15468,"dst_port":1720,"service":"http","classification":"scanner_vuln","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/nmaplowercheck1784352718","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002203cfbf8c0e86ba291d1d987f1762cc4ae99f24a1\u0022, \u0022http_host_hash\u0022: \u002287a118bc4f8adb1808cea1d662665bbefaafbcaf\u0022, \u0022http_target_hash\u0022: \u0022ba73cbd92abe96802829f778f8005d617bed6460\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 208, \u0022payload_entropy\u0022: 5.214321453752121, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 212238, \u0022country\u0022: \u0022JP\u0022, \u0022dst_port\u0022: 1720, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022bb307085f48b1abf02f743997447d433cdc7dff6\u0022, \u0022event_fingerprint\u0022: \u00221bcb6317239ca02a9074c1f975ff05f9a1ea2a5c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 328, \u0022precision_signals\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_patterns\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022matched_pattern_names\u0022: [\u0022MITRE T1046 network scan\u0022, \u0022LFI Double-dot bypass\u0022, \u0022UA Nmap Scripting Engine\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022], \u0022pattern_ids\u0022: [\u0022pat-0805\u0022, \u0022pat-0103\u0022, \u0022pat-0425\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 18}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022JP\u0022, \u0022asn\u0022: 212238, \u0022org\u0022: \u0022Datacamp Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022330447dbae11331605ae65a34cb11832\u0022, \u0022payload_hash\u0022: \u002204fafe41f17a887abb2448d62b1a61bc\u0022, \u0022path_pattern_hash\u0022: \u0022cf6626d5ab4a66836aa7503955a08341\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b69f6cad6448af88d7d2e4ae8c84badad312032d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:1720 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (23 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 18}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1720, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-SCAN-Nmap\u0022, \u0022SIGMA-web-scanner-ua\u0022, \u0022pat-0805\u0022, \u0022pat-0425\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_rapide\u0022, \u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan rapide multi-ports\u0022, \u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +18\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/nmaplowercheck1784352718\u0022, \u0022request_line\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\u0022, \u0022port\u0022: 1720, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:1720 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/nmaplowercheck1784352718\u0022, \u0022evidence_snippet\u0022: \u0022GET \/nmaplowercheck1784352718 HTTP\/1.1\\r\\nHost: ip-62-3-50-33.v4.isp.servpersosystems.net:1720\\r\\nConnection: close\\r\\nUser-Agent: Moz\u0022, \u0022target_port_label\u0022: \u00221720 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221720\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 25, \u0022port_scan_ports_sample\u0022: [21, 22, 23, 81, 110, 111, 135, 143, 199, 445, 465, 548, 587, 993, 995, 1025], \u0022rapid_port_scan\u0022: true, \u0022rapid_scan_distinct_ports\u0022: 6, \u0022scan_velocity_ports_per_s\u0022: 1.58, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 23, \u0022multi_protocol_sample\u0022: [\u0022afp\u0022, \u0022ftp\u0022, \u0022h323\u0022, \u0022http\u0022, \u0022http-alt-81\u0022, \u0022imap\u0022, \u0022imaps\u0022, \u0022msrpc\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022rapid_port_scan\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 18, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]}"}],"total_events":318}