{"ip":"193.143.1.66","exported_at":"2026-06-18T16:49:22+00:00","period_days":30,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":74,"attack_stage":"probe","attack_chain_stage":null,"threat_family":["scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":52,"behavior":0,"geo":0,"protocol":0,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":null,"top_mitre_technique":null,"top_mitre_count":null,"executive_one_liner_fr":"risque 22\/100","campaign_hint_fr":null,"confidence_breakdown":[],"persona_hostname":null,"correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"\u0003\u0000\u0000,\u0027\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=Domain\r\n\u0001\u0000\b\u0000\u0003","target_port_label":"3394","emulator_service":null,"confidence_reason":null,"classification_reason":"Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":null,"payload_preview":"\u0003\u0000\u0000,\u0027\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=Domain\r\n\u0001\u0000\b\u0000\u0003"},"events":[{"id":8401152,"ip":"193.143.1.66","ts":"2026-06-06 18:25:15.000000","proto":"tcp","src_port":1966,"dst_port":3394,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3394, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 22, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b3052d938d207e962fbe3afca229ec31f555a219\u0022, \u0022event_fingerprint\u0022: \u0022b92479d3218f7701dd2d59180e93e611150a2afe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e076102f5c92d55ed830e6ed3a06d77\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3394}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ea8bc8b55039ac71fda251da00b12bd9ee8424e1\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":44},{"id":8401151,"ip":"193.143.1.66","ts":"2026-06-06 18:25:15.000000","proto":"tcp","src_port":1888,"dst_port":3394,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3394, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 16, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b3052d938d207e962fbe3afca229ec31f555a219\u0022, \u0022event_fingerprint\u0022: \u0022b92479d3218f7701dd2d59180e93e611150a2afe\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3394}, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002283f65695aecc27c78ecdec2bfd55727f7e7b6bef\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8393494,"ip":"193.143.1.66","ts":"2026-06-06 14:47:37.000000","proto":"tcp","src_port":46088,"dst_port":3389,"service":"rdp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: \u0022rdp\u0022, \u0022app_proto\u0022: \u0022rdp\u0022, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 8, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022aa4bea48009056c8c3884e795b29aa79232ecca7\u0022, \u0022event_fingerprint\u0022: \u0022707be242ce71f14fac23ca7fdd82d854dc2752d8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3389, \u0022service\u0022: \u0022rdp\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dfff3e8785bdfc5ee3653de0d4fefdb9c5ee91b8\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rdp_probe\u0022, \u0022rdp_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rdp_probe\u0022, \u0022rdp_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":8393496,"ip":"193.143.1.66","ts":"2026-06-06 14:47:37.000000","proto":"tcp","src_port":46441,"dst_port":3389,"service":"rdp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022030000130ed000001234000200080000000000\u0022, \u0022emulator_response_len\u0022: 19, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: \u0022rdp\u0022, \u0022app_proto\u0022: \u0022rdp\u0022, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002240bf2c34d73676fee23426938806aaa527b96fcb\u0022, \u0022event_fingerprint\u0022: \u0022ad5bc6c1132c10ce0e88d551a1bd2cf31dc3757e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e076102f5c92d55ed830e6ed3a06d77\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3389, \u0022service\u0022: \u0022rdp\u0022}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ea0d3ccec64e1f4f1d27b14677068814bf342db\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rdp_cookie\u0022, \u0022rdp_cookie\u0022, \u0022rdp_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rdp_cookie\u0022, \u0022rdp_cookie\u0022, \u0022rdp_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":44},{"id":8320693,"ip":"193.143.1.66","ts":"2026-06-05 15:45:07.000000","proto":"tcp","src_port":45149,"dst_port":3389,"service":"rdp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022030000130ed000001234000200080000000000\u0022, \u0022emulator_response_len\u0022: 19, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: \u0022rdp\u0022, \u0022app_proto\u0022: \u0022rdp\u0022, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002240bf2c34d73676fee23426938806aaa527b96fcb\u0022, \u0022event_fingerprint\u0022: \u0022ad5bc6c1132c10ce0e88d551a1bd2cf31dc3757e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e076102f5c92d55ed830e6ed3a06d77\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3389, \u0022service\u0022: \u0022rdp\u0022}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ea0d3ccec64e1f4f1d27b14677068814bf342db\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rdp_cookie\u0022, \u0022rdp_cookie\u0022, \u0022rdp_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rdp_cookie\u0022, \u0022rdp_cookie\u0022, \u0022rdp_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":44},{"id":8164939,"ip":"193.143.1.66","ts":"2026-06-03 20:16:08.000000","proto":"tcp","src_port":4333,"dst_port":3389,"service":"rdp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: \u0022rdp\u0022, \u0022app_proto\u0022: \u0022rdp\u0022, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 3389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 30.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 30.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 12, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c983b4f58b54350982036948b6601b93c2563f4\u0022, \u0022event_fingerprint\u0022: \u0022707be242ce71f14fac23ca7fdd82d854dc2752d8\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 198953, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e076102f5c92d55ed830e6ed3a06d77\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3389, \u0022service\u0022: \u0022rdp\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.68, \u0022classification_confidence\u0022: 0.68, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Domain\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022b96a62a2d705c67c7b247fe49726e6b8d9e49c0d\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":6,"bytes_in":44},{"id":8109651,"ip":"193.143.1.66","ts":"2026-06-01 10:52:26.000000","proto":"tcp","src_port":28436,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":8109648,"ip":"193.143.1.66","ts":"2026-06-01 10:52:25.000000","proto":"tcp","src_port":24866,"dst_port":100,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022c5ecf6b831bee8bd8ff27536854a49d398aea064\u0022, \u0022event_fingerprint\u0022: \u0022290f6e904557932aafc62ed8800476e21e70f7f9\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8109649,"ip":"193.143.1.66","ts":"2026-06-01 10:52:25.000000","proto":"tcp","src_port":25689,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":8109650,"ip":"193.143.1.66","ts":"2026-06-01 10:52:25.000000","proto":"tcp","src_port":27153,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":8045537,"ip":"193.143.1.66","ts":"2026-05-31 13:57:19.000000","proto":"tcp","src_port":53441,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":8045539,"ip":"193.143.1.66","ts":"2026-05-31 13:57:19.000000","proto":"tcp","src_port":1376,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":8045535,"ip":"193.143.1.66","ts":"2026-05-31 13:57:18.000000","proto":"tcp","src_port":41917,"dst_port":100,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022c5ecf6b831bee8bd8ff27536854a49d398aea064\u0022, \u0022event_fingerprint\u0022: \u0022290f6e904557932aafc62ed8800476e21e70f7f9\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8045536,"ip":"193.143.1.66","ts":"2026-05-31 13:57:18.000000","proto":"tcp","src_port":43264,"dst_port":100,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022ce6a40e900927b8f08111bfdb8eb48d4d46d49c5\u0022, \u0022event_fingerprint\u0022: \u0022945421d06f37c0c8a28628d3addb9d052daa2f9c\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7954363,"ip":"193.143.1.66","ts":"2026-05-29 20:30:22.000000","proto":"tcp","src_port":32750,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7954364,"ip":"193.143.1.66","ts":"2026-05-29 20:30:22.000000","proto":"tcp","src_port":33764,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7954361,"ip":"193.143.1.66","ts":"2026-05-29 20:30:21.000000","proto":"tcp","src_port":31443,"dst_port":3390,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022cd1bb62272f76e263f879ef75f256df674d8c361\u0022, \u0022event_fingerprint\u0022: \u002230a9e5323eb9d0157200c975e970e97267a5e123\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7954362,"ip":"193.143.1.66","ts":"2026-05-29 20:30:21.000000","proto":"tcp","src_port":31938,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952145,"ip":"193.143.1.66","ts":"2026-05-29 19:36:51.000000","proto":"tcp","src_port":45035,"dst_port":3392,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022c596b85f5f489f95af8e479566eafdc5a3d33ebd\u0022, \u0022event_fingerprint\u0022: \u00223fa4e46f8020d4b499a527a095a872b3b29d0cf5\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7952146,"ip":"193.143.1.66","ts":"2026-05-29 19:36:51.000000","proto":"tcp","src_port":48706,"dst_port":3392,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022e317ee54f36911e05cb75b99717634acc66a06d5\u0022, \u0022event_fingerprint\u0022: \u0022f42e30553192a4044e9a4a1c9c945e67de066156\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952147,"ip":"193.143.1.66","ts":"2026-05-29 19:36:51.000000","proto":"tcp","src_port":8602,"dst_port":3392,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022e317ee54f36911e05cb75b99717634acc66a06d5\u0022, \u0022event_fingerprint\u0022: \u0022f42e30553192a4044e9a4a1c9c945e67de066156\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952148,"ip":"193.143.1.66","ts":"2026-05-29 19:36:51.000000","proto":"tcp","src_port":15929,"dst_port":3392,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022e317ee54f36911e05cb75b99717634acc66a06d5\u0022, \u0022event_fingerprint\u0022: \u0022f42e30553192a4044e9a4a1c9c945e67de066156\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952099,"ip":"193.143.1.66","ts":"2026-05-29 19:35:40.000000","proto":"tcp","src_port":10925,"dst_port":3399,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022a5636557b5bd5b28c48049843ec4d848e54162c6\u0022, \u0022event_fingerprint\u0022: \u0022c029cf42e291b60e985334c34b69e158bf76b0ce\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952096,"ip":"193.143.1.66","ts":"2026-05-29 19:35:39.000000","proto":"tcp","src_port":45555,"dst_port":3399,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u00220aced514f001a928ee93dc72c58d2ddf90a3471d\u0022, \u0022event_fingerprint\u0022: \u0022f809712a9d6c304942696cce6a9215b6418068ed\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7952097,"ip":"193.143.1.66","ts":"2026-05-29 19:35:39.000000","proto":"tcp","src_port":52113,"dst_port":3399,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022a5636557b5bd5b28c48049843ec4d848e54162c6\u0022, \u0022event_fingerprint\u0022: \u0022c029cf42e291b60e985334c34b69e158bf76b0ce\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952098,"ip":"193.143.1.66","ts":"2026-05-29 19:35:39.000000","proto":"tcp","src_port":7509,"dst_port":3399,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022a5636557b5bd5b28c48049843ec4d848e54162c6\u0022, \u0022event_fingerprint\u0022: \u0022c029cf42e291b60e985334c34b69e158bf76b0ce\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952054,"ip":"193.143.1.66","ts":"2026-05-29 19:34:16.000000","proto":"tcp","src_port":17661,"dst_port":3398,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00223213279ebb335e855dfc8fee2b5236671ca1ca1d\u0022, \u0022event_fingerprint\u0022: \u00227b0cdc7165ab00ea2f0b9187d7de74a65e9b9794\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952055,"ip":"193.143.1.66","ts":"2026-05-29 19:34:16.000000","proto":"tcp","src_port":22423,"dst_port":3398,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00223213279ebb335e855dfc8fee2b5236671ca1ca1d\u0022, \u0022event_fingerprint\u0022: \u00227b0cdc7165ab00ea2f0b9187d7de74a65e9b9794\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952052,"ip":"193.143.1.66","ts":"2026-05-29 19:34:15.000000","proto":"tcp","src_port":7947,"dst_port":3398,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022d4d43c968db8646cffdc0473b5b3a43d365a1fa0\u0022, \u0022event_fingerprint\u0022: \u00228e073b12937c5da93c10869125412a5276960906\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7952053,"ip":"193.143.1.66","ts":"2026-05-29 19:34:15.000000","proto":"tcp","src_port":12543,"dst_port":3398,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00223213279ebb335e855dfc8fee2b5236671ca1ca1d\u0022, \u0022event_fingerprint\u0022: \u00227b0cdc7165ab00ea2f0b9187d7de74a65e9b9794\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952007,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":48613,"dst_port":3393,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u002257032d054fe0f2d326d15f5bc98665b53a686ddd\u0022, \u0022event_fingerprint\u0022: \u0022bbfe624cbb09ce2eb3aea59b68953edb4a1b17db\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7952008,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":53138,"dst_port":3396,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022e594a0bc21c39c5abcb116be523fe84626e018cd\u0022, \u0022event_fingerprint\u0022: \u0022d6b7c1fceb356c0ea18b4ac192f819abef1517a1\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7952009,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":5876,"dst_port":3393,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022d4a5624f16c7f1e0fb2e3a9ef54f86f57591ecdb\u0022, \u0022event_fingerprint\u0022: \u0022419a46e4f289c63fdb18320fc7664cc46b38628d\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952010,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":8225,"dst_port":3396,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002209d358b3e487484e723660d12dbac5ef828aa570\u0022, \u0022event_fingerprint\u0022: \u002229deb8bb4647c5ec32caf80de2eb3929de6f3d42\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952011,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":12976,"dst_port":3393,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022d4a5624f16c7f1e0fb2e3a9ef54f86f57591ecdb\u0022, \u0022event_fingerprint\u0022: \u0022419a46e4f289c63fdb18320fc7664cc46b38628d\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952012,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":16016,"dst_port":3396,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002209d358b3e487484e723660d12dbac5ef828aa570\u0022, \u0022event_fingerprint\u0022: \u002229deb8bb4647c5ec32caf80de2eb3929de6f3d42\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952013,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":24013,"dst_port":3393,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022d4a5624f16c7f1e0fb2e3a9ef54f86f57591ecdb\u0022, \u0022event_fingerprint\u0022: \u0022419a46e4f289c63fdb18320fc7664cc46b38628d\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7952014,"ip":"193.143.1.66","ts":"2026-05-29 19:32:53.000000","proto":"tcp","src_port":26649,"dst_port":3396,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002209d358b3e487484e723660d12dbac5ef828aa570\u0022, \u0022event_fingerprint\u0022: \u002229deb8bb4647c5ec32caf80de2eb3929de6f3d42\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951948,"ip":"193.143.1.66","ts":"2026-05-29 19:31:27.000000","proto":"tcp","src_port":17309,"dst_port":3390,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022cd1bb62272f76e263f879ef75f256df674d8c361\u0022, \u0022event_fingerprint\u0022: \u002230a9e5323eb9d0157200c975e970e97267a5e123\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7951949,"ip":"193.143.1.66","ts":"2026-05-29 19:31:27.000000","proto":"tcp","src_port":18791,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951950,"ip":"193.143.1.66","ts":"2026-05-29 19:31:27.000000","proto":"tcp","src_port":23181,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951951,"ip":"193.143.1.66","ts":"2026-05-29 19:31:27.000000","proto":"tcp","src_port":25908,"dst_port":3390,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u0022dbd4196467141253bcecdbd1b32e6f4e9a9e7de7\u0022, \u0022event_fingerprint\u0022: \u0022d39f4b3a0a60b62b8cc70fd70dcfc20f34401bff\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951932,"ip":"193.143.1.66","ts":"2026-05-29 19:31:01.000000","proto":"tcp","src_port":11737,"dst_port":3394,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002208facb625a1a854c98a36430acc4d7936d044443\u0022, \u0022event_fingerprint\u0022: \u00227d40d03f4cc4a83e06eb531373baf839436f5f7b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951933,"ip":"193.143.1.66","ts":"2026-05-29 19:31:01.000000","proto":"tcp","src_port":17313,"dst_port":3394,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002208facb625a1a854c98a36430acc4d7936d044443\u0022, \u0022event_fingerprint\u0022: \u00227d40d03f4cc4a83e06eb531373baf839436f5f7b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951934,"ip":"193.143.1.66","ts":"2026-05-29 19:31:01.000000","proto":"tcp","src_port":22234,"dst_port":3394,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u002208facb625a1a854c98a36430acc4d7936d044443\u0022, \u0022event_fingerprint\u0022: \u00227d40d03f4cc4a83e06eb531373baf839436f5f7b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951931,"ip":"193.143.1.66","ts":"2026-05-29 19:31:00.000000","proto":"tcp","src_port":8808,"dst_port":3394,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u0022b3052d938d207e962fbe3afca229ec31f555a219\u0022, \u0022event_fingerprint\u0022: \u0022b92479d3218f7701dd2d59180e93e611150a2afe\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7951905,"ip":"193.143.1.66","ts":"2026-05-29 19:30:06.000000","proto":"tcp","src_port":11115,"dst_port":3397,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00228f5be839474ef42e90cb30354777f49ae7256c65\u0022, \u0022event_fingerprint\u0022: \u002245e6696d672910fb9018b319fa3c837ed09b798b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951902,"ip":"193.143.1.66","ts":"2026-05-29 19:30:05.000000","proto":"tcp","src_port":5357,"dst_port":3397,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 0, \u0022campaign_key\u0022: \u00228e8258042d6d96e8f25302086769275d31bb76d7\u0022, \u0022event_fingerprint\u0022: \u0022cfb68a7681b3cae43b722458fea0de534a22be7f\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7951903,"ip":"193.143.1.66","ts":"2026-05-29 19:30:05.000000","proto":"tcp","src_port":7061,"dst_port":3397,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00228f5be839474ef42e90cb30354777f49ae7256c65\u0022, \u0022event_fingerprint\u0022: \u002245e6696d672910fb9018b319fa3c837ed09b798b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":7951904,"ip":"193.143.1.66","ts":"2026-05-29 19:30:05.000000","proto":"tcp","src_port":9033,"dst_port":3397,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 4.038310595615006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Proton66 OOO\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 198953, \u0022country\u0022: \u0022RU\u0022, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 62, \u0022campaign_key\u0022: \u00228f5be839474ef42e90cb30354777f49ae7256c65\u0022, \u0022event_fingerprint\u0022: \u002245e6696d672910fb9018b319fa3c837ed09b798b\u0022, \u0022tags_list\u0022: [\u0022rdp_cookie\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022rdp_cookie\u0022]","anomalies":"[]","severity":5,"bytes_in":44}],"total_events":408}