{"ip":"193.8.186.29","exported_at":"2026-06-21T03:40:30+00:00","period_days":30,"metrics":{"events7d":18,"distinct_ports":10,"distinct_classifications":7,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":100,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.59,"risk_breakdown":{"waf":72,"classification":68,"behavior":0,"geo":0,"protocol":33,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":10,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":72,"classification":68,"behavior":0,"geo":0,"protocol":33,"novelty":15,"risk_score":46},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":59,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0284"],"tags_summary":["pat-0284"],"attack_vector":"xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)","protocol_details":{"http_method":"GET","http_path":"\/","request_line":"GET \/ HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","port":8080,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/ \u00b7 UA Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u2026 \u00b7 HTTP:8080","evidence_snippet":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec","target_port_label":"8080 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF","classification_reason":"Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%","classification_reason_label_fr":"Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%","confidence_factors_fr":"Confiance 59 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF","payload_preview":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec"},"events":[{"id":9331382,"ip":"193.8.186.29","ts":"2026-06-16 02:14:08.000000","proto":"tcp","src_port":44894,"dst_port":8080,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.447336620236348, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022075e5345953235ea967a2535172cf98d1d3d388a\u0022, \u0022event_fingerprint\u0022: \u0022c4a5ea58b3d2b0d9f787b32d70530d766cc70177\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u0022e9d80f1fc5c84a7f5538397e262028c7\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002210b51d16c77036346cc05747677f2177206cb435\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":9330097,"ip":"193.8.186.29","ts":"2026-06-16 01:44:38.000000","proto":"tcp","src_port":33916,"dst_port":8088,"service":"http-alt-8088","classification":"http-alt-8088","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.322437066685061, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022app_proto\u0022: \u0022http-alt-8088\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c6a5539a7fac0faf399c0a215ac9450c24753038\u0022, \u0022event_fingerprint\u0022: \u0022e4439b80d6e4b371d582e64e67ce8ed1e436ce25\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e740ddf12c1f307d35c7c4a6200131db\u0022, \u0022path_pattern_hash\u0022: \u0022f7ffc7733123826391689a4267b358d2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\\u0005\ufffd\u0027s0\ufffd\u0329g\ufffd2D\\u0019 \ufffd\ufffd\ufffd\\u0010\u003C[Sy\ufffd`.\ufffd\ufffd\\u00039\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\\u0005\ufffd\u0027s0\ufffd\u0329g\ufffd2D\\u0019 \ufffd\ufffd\ufffd\\u0010\u003C[Sy\ufffd`.\ufffd\ufffd\\u00039\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\\u0005\ufffd\u0027s0\ufffd\u0329g\ufffd2D\\u0019 \ufffd\ufffd\ufffd\\u0010\u003C[Sy\ufffd`.\ufffd\ufffd\\u00039\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d6a0d32381504a35bfb9d00baee13dfd7cd6d051\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\\u0005\ufffd\u0027s0\ufffd\u0329g\ufffd2D\\u0019 \ufffd\ufffd\ufffd\\u0010\u003C[Sy\ufffd`.\ufffd\ufffd\\u00039\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\ufffd\u0027s0\ufffd\u0329g\ufffd2D \ufffd\ufffd\ufffd\u003C[Sy\ufffd`.\ufffd\ufffd9\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP ALT 8088\u0022, \u0022emulator_service\u0022: \u0022http-alt-8088\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8088\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\\u0005\ufffd\u0027s0\ufffd\u0329g\ufffd2D\\u0019 \ufffd\ufffd\ufffd\\u0010\u003C[Sy\ufffd`.\ufffd\ufffd\\u00039\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\\\\\ufffd]\ufffd`\ufffd\ufffd\ufffdj\ufffdp\ufffd\ufffd\\n$\ufffd@z\ufffd\ufffd\u0027s0\ufffd\u0329g\ufffd2D \ufffd\ufffd\ufffd\u003C[Sy\ufffd`.\ufffd\ufffd9\ufffd8}\/\ufffd\ufffdL\ufffd\u0784\ufffdkJ\ufffdpd#\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP ALT 8088\u0022, \u0022emulator_service\u0022: \u0022http-alt-8088\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8088\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8088\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9330100,"ip":"193.8.186.29","ts":"2026-06-16 01:44:38.000000","proto":"tcp","src_port":33930,"dst_port":8088,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.452229201878291, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ae56f860171955f2b288985a500c23cee42d529f\u0022, \u0022event_fingerprint\u0022: \u002237d96fce8f60b477529ee3ee20f66ccf08b6b641\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u002236e32357944a52ef0d1cfc0493f0923e\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022be990b42e36a3a66b338b41a81e41a1d3d8d926d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":9326156,"ip":"193.8.186.29","ts":"2026-06-16 00:11:04.000000","proto":"tcp","src_port":44972,"dst_port":6443,"service":"k8s-api","classification":"kubernetes_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002215030300020228\u0022, \u0022emulator_response_len\u0022: 7, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.306204835487288, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225f70a73a5934201c2e00970f23615f0b69d2ca8a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2fd6e8dae817c0c4fd6f3de2fda3bbf\u0022, \u0022path_pattern_hash\u0022: \u00229911336c7fd1406c8e284bedc6c69f4b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0017\ufffd\\u0018\\tQ\ufffd$\ufffd\ufffd\\u0002\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffd\\u0001K\ufffdm\ufffdce\\u0003 z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\\u0011\ufffd\ufffdGR\ufffdkSC\\u0013-\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0017\ufffd\\u0018\\tQ\ufffd$\ufffd\ufffd\\u0002\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffd\\u0001K\ufffdm\ufffdce\\u0003 z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\\u0011\ufffd\ufffdGR\ufffdkSC\\u0013-\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0017\ufffd\\u0018\\tQ\ufffd$\ufffd\ufffd\\u0002\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffd\\u0001K\ufffdm\ufffdce\\u0003 z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\\u0011\ufffd\ufffdGR\ufffdkSC\\u0013-\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022cloud_infra_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222670307797d2c6b0446c9c2317c6ab5b18f9ddb9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0017\ufffd\\u0018\\tQ\ufffd$\ufffd\ufffd\\u0002\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffd\\u0001K\ufffdm\ufffdce\\u0003 z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\\u0011\ufffd\ufffdGR\ufffdkSC\\u0013-\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\tQ\ufffd$\ufffd\ufffd\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffdK\ufffdm\ufffdce z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\ufffd\ufffdGR\ufffdkSC-\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0017\ufffd\\u0018\\tQ\ufffd$\ufffd\ufffd\\u0002\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffd\\u0001K\ufffdm\ufffdce\\u0003 z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\\u0011\ufffd\ufffdGR\ufffdkSC\\u0013-\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\tQ\ufffd$\ufffd\ufffd\ufffd9q\ufffd\u066e\ufffd\ufffdnHp\ufffd\ufffdK\ufffdm\ufffdce z\ufffdz+\ufffd\ufffd\ufffdR\ufffd\u003C\ufffd\ufffd;*\u0026;5\ufffd\ufffd\ufffd\ufffdGR\ufffdkSC-\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":517},{"id":9326157,"ip":"193.8.186.29","ts":"2026-06-16 00:11:04.000000","proto":"tcp","src_port":44976,"dst_port":6443,"service":"k8s-api","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.446720314189158, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef86356910d7f7cdd52447d2d53697ca6a0c79fa\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002223cb895cb663ac2e9ec16c9ea67aa36d\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b18c2945284636ce85c116cd397fe28021dd6e6f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":399},{"id":9324802,"ip":"193.8.186.29","ts":"2026-06-15 23:33:18.000000","proto":"tcp","src_port":39310,"dst_port":8888,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002225a58e7d7f0ed40aadf0d51b038172ea9ccc8435\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.455929767925268, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e11c1b827d438ca6f81f14ef35ff35f7c31ff992\u0022, \u0022event_fingerprint\u0022: \u0022d96673c00b57d970f6555d6dff66c77e09351a74\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u00224a0161278cf172e56a0f795473aade45\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022164c70d4d935a6700dd02433f253425292c12e5d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8888","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":9304643,"ip":"193.8.186.29","ts":"2026-06-15 21:26:20.000000","proto":"tcp","src_port":59562,"dst_port":11443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 6, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.300320006257645, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 11443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7ec2422c6e6f404ff801e8ea89fcd8f78d1e50e\u0022, \u0022event_fingerprint\u0022: \u002246c66d60d11bbd5dc29a9ac47fb8406df5265876\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022payload_hash\u0022: \u00225702ef57528da8aa18fca76b80bf77d5\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11443, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0001\ue372\ufffdZ\ufffdg\ufffd)\ufffd\\u0013\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\\u001c\ufffdpL\ufffd\\u0013 \ufffdCEd\\u001a\ufffd+\ufffdwr\\u0017\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0001\ue372\ufffdZ\ufffdg\ufffd)\ufffd\\u0013\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\\u001c\ufffdpL\ufffd\\u0013 \ufffdCEd\\u001a\ufffd+\ufffdwr\\u0017\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0001\ue372\ufffdZ\ufffdg\ufffd)\ufffd\\u0013\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\\u001c\ufffdpL\ufffd\\u0013 \ufffdCEd\\u001a\ufffd+\ufffdwr\\u0017\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f34fd015219fe42950ea3c19a6d406964badf7b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0001\ue372\ufffdZ\ufffdg\ufffd)\ufffd\\u0013\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\\u001c\ufffdpL\ufffd\\u0013 \ufffdCEd\\u001a\ufffd+\ufffdwr\\u0017\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 11443, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ue372\ufffdZ\ufffdg\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\ufffdpL\ufffd \ufffdCEd\ufffd+\ufffdwr\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:11443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211443 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 11443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0001\ue372\ufffdZ\ufffdg\ufffd)\ufffd\\u0013\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\\u001c\ufffdpL\ufffd\\u0013 \ufffdCEd\\u001a\ufffd+\ufffdwr\\u0017\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 11443, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:11443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ue372\ufffdZ\ufffdg\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd\\n\ufffdK\ufffd\ufffd\/\ufffdpL\ufffd \ufffdCEd\ufffd+\ufffdwr\ufffdK@BA\ufffdj:,\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd:|Q\u00a7\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u002211443 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9304644,"ip":"193.8.186.29","ts":"2026-06-15 21:26:20.000000","proto":"tcp","src_port":59578,"dst_port":11443,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00229ef1b6d504b654fe06cbbf3870a4ee75ac65add6\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 400, \u0022payload_entropy\u0022: 5.449291278110535, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 11443, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002298b2bfc6793250eb5bf4cf995e9dc72f6cc95cdf\u0022, \u0022event_fingerprint\u0022: \u0022e04724e45b8eae444ca56cf066854b80def6f78c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u002265f02a927b267868985c2b37f7073e32\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222421d4171c3d53aabb851f34eeb63c8a11fdb8bf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 11443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:11443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002211443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 11443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 11443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:11443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022target_port_label\u0022: \u002211443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:11443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":400},{"id":9289957,"ip":"193.8.186.29","ts":"2026-06-15 18:23:27.000000","proto":"tcp","src_port":45882,"dst_port":10443,"service":"https","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.3361101290120345, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 10443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf82ed4958219b6801f74213ab3f101ded76679b\u0022, \u0022event_fingerprint\u0022: \u00220ce879e35222bcf244eb8071cb051f2e9c4aa580\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%\u0022, \u0022confidence\u0022: 0.42, \u0022classification_confidence\u0022: 0.42, \u0022precision_score\u0022: 50, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0554\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 42.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002277856d1f4bd9bcbe6058bc6495e981e0\u0022, \u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd\\u0018.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\\u0013\ufffd\ufffd*\\u0017\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\\u0016\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd\\u0018.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\\u0013\ufffd\ufffd*\\u0017\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\\u0016\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd\\u0018.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\\u0013\ufffd\ufffd*\\u0017\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\\u0016\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022df52c3dcb3bab9f48b512b1a9373b9ae756c77fa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd\\u0018.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\\u0013\ufffd\ufffd*\\u0017\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\\u0016\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\ufffd\ufffd*\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via HTTPS:10443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 42 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 42, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 10443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd\\u0018.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\\u0013\ufffd\ufffd*\\u0017\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\\u0016\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via HTTPS:10443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdY\ufffd\ufffd\u0517*\ufffdOU\ufffd\ufffd.\ufffd}]\ufffdl\ufffd\ufffd\ufffd^\ufffd\ufffd*\ufffd \ufffdx\ufffd\ue17b5\ufffd{\ufffdW\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdB\ufffdSV\ufffdg\ufffdf\ufffd\ufffd\ufffd\ufffdk\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 42 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 42 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9289958,"ip":"193.8.186.29","ts":"2026-06-15 18:23:27.000000","proto":"tcp","src_port":45890,"dst_port":10443,"service":"https","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 400, \u0022payload_entropy\u0022: 5.446326198617309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 10443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223f4b6892caaa1664d1ac856a9bb3343298ca4195\u0022, \u0022event_fingerprint\u0022: \u00220ce879e35222bcf244eb8071cb051f2e9c4aa580\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002225eb964e2a5c699db23dd450da06ffe1\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f709822405dbb5d4fc1a80a47a64cf9988bd12e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTPS:10443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 10443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTPS:10443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":400},{"id":9288019,"ip":"193.8.186.29","ts":"2026-06-15 17:41:10.000000","proto":"tcp","src_port":49494,"dst_port":444,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 6, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.28276693776623, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 444, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229bff362b5e4b1fc54e3e921cb3112e46219b6d26\u0022, \u0022event_fingerprint\u0022: \u0022f3e384a0027885ca8fd17e522cb5c42cad935687\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022payload_hash\u0022: \u002259458604038b662e88d373e882551fd1\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 444, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ua7ba\ufffd2Oj\ufffd\\u0017\\u0001a\ufffd*y\\u0014\\u001f\\u001d\ufffd\\u000eK\u0697\ufffdhp\\t\\u0006\\u0004\ufffds\\r \\u001e\ufffdg]\ufffdT\ufffdx\ufffd\ufffd\\u0010\ufffdD\ufffd\ufffd\\u000e\ufffd\ufffd\ufffd+\\u001e\ufffd\\u001b\ufffd3\ufffd\\u0010?\ufffd\ufffda\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ua7ba\ufffd2Oj\ufffd\\u0017\\u0001a\ufffd*y\\u0014\\u001f\\u001d\ufffd\\u000eK\u0697\ufffdhp\\t\\u0006\\u0004\ufffds\\r \\u001e\ufffdg]\ufffdT\ufffdx\ufffd\ufffd\\u0010\ufffdD\ufffd\ufffd\\u000e\ufffd\ufffd\ufffd+\\u001e\ufffd\\u001b\ufffd3\ufffd\\u0010?\ufffd\ufffda\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ua7ba\ufffd2Oj\ufffd\\u0017\\u0001a\ufffd*y\\u0014\\u001f\\u001d\ufffd\\u000eK\u0697\ufffdhp\\t\\u0006\\u0004\ufffds\\r \\u001e\ufffdg]\ufffdT\ufffdx\ufffd\ufffd\\u0010\ufffdD\ufffd\ufffd\\u000e\ufffd\ufffd\ufffd+\\u001e\ufffd\\u001b\ufffd3\ufffd\\u0010?\ufffd\ufffda\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226487083f681ac3c4a0683c14edc254b34a5a2246\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ua7ba\ufffd2Oj\ufffd\\u0017\\u0001a\ufffd*y\\u0014\\u001f\\u001d\ufffd\\u000eK\u0697\ufffdhp\\t\\u0006\\u0004\ufffds\\r \\u001e\ufffdg]\ufffdT\ufffdx\ufffd\ufffd\\u0010\ufffdD\ufffd\ufffd\\u000e\ufffd\ufffd\ufffd+\\u001e\ufffd\\u001b\ufffd3\ufffd\\u0010?\ufffd\ufffda\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ua7ba\ufffd2Oj\ufffda\ufffd*y\ufffdK\u0697\ufffdhp\\t\ufffds\\r \ufffdg]\ufffdT\ufffdx\ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\ufffd3\ufffd?\ufffd\ufffda\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 444, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ua7ba\ufffd2Oj\ufffd\\u0017\\u0001a\ufffd*y\\u0014\\u001f\\u001d\ufffd\\u000eK\u0697\ufffdhp\\t\\u0006\\u0004\ufffds\\r \\u001e\ufffdg]\ufffdT\ufffdx\ufffd\ufffd\\u0010\ufffdD\ufffd\ufffd\\u000e\ufffd\ufffd\ufffd+\\u001e\ufffd\\u001b\ufffd3\ufffd\\u0010?\ufffd\ufffda\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ua7ba\ufffd2Oj\ufffda\ufffd*y\ufffdK\u0697\ufffdhp\\t\ufffds\\r \ufffdg]\ufffdT\ufffdx\ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\ufffd3\ufffd?\ufffd\ufffda\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022444\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9288020,"ip":"193.8.186.29","ts":"2026-06-15 17:41:10.000000","proto":"tcp","src_port":49506,"dst_port":444,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002296bd0f703b966543acff1c39b6284d0525249c56\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 398, \u0022payload_entropy\u0022: 5.446456280899783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 444, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c02fb3bcc273c8fd3be8f696c320db486a417907\u0022, \u0022event_fingerprint\u0022: \u0022e3b2a8940292f7405bc2501dc600449c01969c65\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u002259a906be8ee66c411f0b3bc46e176960\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c0e3a34a1e5c2b3b6839048d37381c7b3abaf3f2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:444 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 444, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:444 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022444\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:444","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":398},{"id":9230899,"ip":"193.8.186.29","ts":"2026-06-15 15:34:28.000000","proto":"tcp","src_port":36472,"dst_port":7443,"service":"oracle-em","classification":"oracle_tns_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.28442295192295, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022oracle-em\u0022, \u0022app_proto\u0022: \u0022oracle-em\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 7443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224f4acff4c9041c67c73fa498ee94611b63a0dc4b\u0022, \u0022event_fingerprint\u0022: \u00223f1d4b52645bcd9531502ab86dc099f88926bef6\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e06b8add1bb0263ffcff70020bd48e92\u0022, \u0022path_pattern_hash\u0022: \u0022420e91c120535c16728a9791d446fafc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0002\ufffd\\u0010)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0\\u0018[\\u0012\ufffd\ufffd\u0900\\u0012.?\ufffdBK\\u0001\u0027=I \ufffdIz\ufffdC\ufffd\\u0003]8\\u00148\\t\uec194\ufffd\ufffdJ\ufffd\\u001d\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0002\ufffd\\u0010)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0\\u0018[\\u0012\ufffd\ufffd\u0900\\u0012.?\ufffdBK\\u0001\u0027=I \ufffdIz\ufffdC\ufffd\\u0003]8\\u00148\\t\uec194\ufffd\ufffdJ\ufffd\\u001d\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0002\ufffd\\u0010)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0\\u0018[\\u0012\ufffd\ufffd\u0900\\u0012.?\ufffdBK\\u0001\u0027=I \ufffdIz\ufffdC\ufffd\\u0003]8\\u00148\\t\uec194\ufffd\ufffdJ\ufffd\\u001d\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228390ca2b70817680c922ea07fa8b887a121835c3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0002\ufffd\\u0010)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0\\u0018[\\u0012\ufffd\ufffd\u0900\\u0012.?\ufffdBK\\u0001\u0027=I \ufffdIz\ufffdC\ufffd\\u0003]8\\u00148\\t\uec194\ufffd\ufffdJ\ufffd\\u001d\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0[\ufffd\ufffd\u0900.?\ufffdBK\u0027=I \ufffdIz\ufffdC\ufffd]88\\t\uec194\ufffd\ufffdJ\ufffd\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 ORACLE EM\u0022, \u0022emulator_service\u0022: \u0022oracle-em\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022, \u0022dst_port\u0022: 7443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-oracle-em\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\\u0002\ufffd\\u0010)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0\\u0018[\\u0012\ufffd\ufffd\u0900\\u0012.?\ufffdBK\\u0001\u0027=I \ufffdIz\ufffdC\ufffd\\u0003]8\\u00148\\t\uec194\ufffd\ufffdJ\ufffd\\u001d\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022oracle-em\u0022, \u0022service_label_fr\u0022: \u0022ORACLE EM\u0022}, \u0022attack_vector\u0022: \u0022oracle tns probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd)\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffdW0[\ufffd\ufffd\u0900.?\ufffdBK\u0027=I \ufffdIz\ufffdC\ufffd]88\\t\uec194\ufffd\ufffdJ\ufffd\ufffdc\ufffd?\\n\ufffdV\ufffd\u04b1\ufffd\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 ORACLE EM\u0022, \u0022emulator_service\u0022: \u0022oracle-em\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022oracle_em\u0022, \u0022service_banner\u0022: \u0022honeypot-oracle-em\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_oracle_tns_probe\u0022, \u0022oracle_em_emulated\u0022, \u0022oracle_em_payload\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_oracle_tns_probe\u0022, \u0022oracle_em_emulated\u0022, \u0022oracle_em_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":517},{"id":9230900,"ip":"193.8.186.29","ts":"2026-06-15 15:34:28.000000","proto":"tcp","src_port":36486,"dst_port":7443,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00223207cc58a88e4dd65c61f1b1f14e699cc0722bbe\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.448361973417362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 7443, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002240005da017bef00b97976ebf3705f97aaa28ab5f\u0022, \u0022event_fingerprint\u0022: \u0022461b83f7014fe619299b1b3ff6a2153181db3ce3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u00227b5a26352b27fc518c2d16e80647e81c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229b68035d3d806dfddfbcfb7209ff5ce5ec15ae73\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:7443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 7443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:7443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00227443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022oracle-em\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":9227267,"ip":"193.8.186.29","ts":"2026-06-15 15:28:05.000000","proto":"tcp","src_port":48152,"dst_port":5443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 6, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.240438441262511, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 5443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002238f4503bf18c3e5e5b8d3cb7e422a4dd8bfca84f\u0022, \u0022event_fingerprint\u0022: \u00228c31c0776847e7f1ad0cf3030bda0c3260cd264a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022payload_hash\u0022: \u0022cf1ed91a6cd9ce7c601c1fb7c5918b22\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5443, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Ms\ufffd\ufffd\ufffd\ufffd\\u001b\\u000b\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\\u0000\\u0010\ufffd\ufffdV\ufffd\\u0015\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\\u0000\\u0002\\u0002\ufffd\\u001b\ufffd\ufffd\ufffd\\u001d\u00267\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Ms\ufffd\ufffd\ufffd\ufffd\\u001b\\u000b\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\\u0000\\u0010\ufffd\ufffdV\ufffd\\u0015\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\\u0000\\u0002\\u0002\ufffd\\u001b\ufffd\ufffd\ufffd\\u001d\u00267\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Ms\ufffd\ufffd\ufffd\ufffd\\u001b\\u000b\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\\u0000\\u0010\ufffd\ufffdV\ufffd\\u0015\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\\u0000\\u0002\\u0002\ufffd\\u001b\ufffd\ufffd\ufffd\\u001d\u00267\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022df07d54af14df72eb913eb4252011fd641f26661\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Ms\ufffd\ufffd\ufffd\ufffd\\u001b\\u000b\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\\u0000\\u0010\ufffd\ufffdV\ufffd\\u0015\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\\u0000\\u0002\\u0002\ufffd\\u001b\ufffd\ufffd\ufffd\\u001d\u00267\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 5443, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdMs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\ufffd\ufffdV\ufffd\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00267\ufffd\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225443 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003Ms\ufffd\ufffd\ufffd\ufffd\\u001b\\u000b\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\\u0000\\u0010\ufffd\ufffdV\ufffd\\u0015\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\\u0000\\u0002\\u0002\ufffd\\u001b\ufffd\ufffd\ufffd\\u001d\u00267\ufffd\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022tls_ja3\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022port\u0022: 5443, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdMs\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0454\ufffd\ufffdL\ufffd\ufffd\ufffd\ufffdV\ufffd\ufffd\ufffd\ufffdp\ufffd,\ufffd \ufffdM\ufffdX\ufffdPG\ufffd\\tX\ufffd\ufffdxt_I\u0026N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00267\ufffd\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u00225443 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9227269,"ip":"193.8.186.29","ts":"2026-06-15 15:28:05.000000","proto":"tcp","src_port":48164,"dst_port":5443,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00228c63977d5d0c71f59418955e62bca1981dfcfc04\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.447448369465984, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 5443, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022934d057e5d2b88c4f777c08b9fd5222a84a20ea9\u0022, \u0022event_fingerprint\u0022: \u0022b38be6657f601aa8f7889eccd7132a23c3d252e3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u0022149f7630687d7a2eac81908378b54998\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd947b257325336f602d7bf1a2aacc97fb48baac\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 5443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:5443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 5443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:5443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00225443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":9198858,"ip":"193.8.186.29","ts":"2026-06-15 14:44:58.000000","proto":"tcp","src_port":56456,"dst_port":8082,"service":"http-alt-8082","classification":"http-alt-8082","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.318182267961231, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http-alt-8082\u0022, \u0022app_proto\u0022: \u0022http-alt-8082\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8082, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223888d1be70f33732522d873896cc453ceef75286\u0022, \u0022event_fingerprint\u0022: \u00220e49cbf0cd38e11c005312d70c60a0ee389bb82f\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8082 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022http-alt-8082\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022294e970dfcec24b7609d0a61e8380ddb\u0022, \u0022path_pattern_hash\u0022: \u0022ab911db9a03f822d13fe3595fc5be734\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8082, \u0022service\u0022: \u0022http-alt-8082\u0022, \u0022service_name\u0022: \u0022http-alt-8082\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003@%\ufffdf\ufffd\\u0013o}\ufffdN\u01c0\\u000b?\\u0011$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/J\\u0011i m\ufffd\ufffd,u\ufffd\\u0010|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffd\\u0003y;\ufffd7}\ufffd\\u0012\\r\ufffd\u07b2\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003@%\ufffdf\ufffd\\u0013o}\ufffdN\u01c0\\u000b?\\u0011$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/J\\u0011i m\ufffd\ufffd,u\ufffd\\u0010|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffd\\u0003y;\ufffd7}\ufffd\\u0012\\r\ufffd\u07b2\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\ufffd\\n\ufffd\\u0014\ufffd\\t\ufffd\\u0013\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001W\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003@%\ufffdf\ufffd\\u0013o}\ufffdN\u01c0\\u000b?\\u0011$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/J\\u0011i m\ufffd\ufffd,u\ufffd\\u0010|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffd\\u0003y;\ufffd7}\ufffd\\u0012\\r\ufffd\u07b2\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8082 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022158cb7aa41a95ee9b0d52d9401c2b6aed53b6603\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003@%\ufffdf\ufffd\\u0013o}\ufffdN\u01c0\\u000b?\\u0011$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/J\\u0011i m\ufffd\ufffd,u\ufffd\\u0010|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffd\\u0003y;\ufffd7}\ufffd\\u0012\\r\ufffd\u07b2\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 8082, \u0022service\u0022: \u0022http-alt-8082\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8082\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd@%\ufffdf\ufffdo}\ufffdN\u01c0?$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/Ji m\ufffd\ufffd,u\ufffd|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffdy;\ufffd7}\ufffd\\r\ufffd\u07b2\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022attack_vector\u0022: \u0022http-alt-8082 \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228082 \u00b7 HTTP ALT 8082\u0022, \u0022emulator_service\u0022: \u0022http-alt-8082\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8082 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8082 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8082\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8082\u0022, \u0022dst_port\u0022: 8082, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8082\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003@%\ufffdf\ufffd\\u0013o}\ufffdN\u01c0\\u000b?\\u0011$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/J\\u0011i m\ufffd\ufffd,u\ufffd\\u0010|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffd\\u0003y;\ufffd7}\ufffd\\u0012\\r\ufffd\u07b2\\u0000\\\\\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022port\u0022: 8082, \u0022service\u0022: \u0022http-alt-8082\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8082\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8082 \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd@%\ufffdf\ufffdo}\ufffdN\u01c0?$\ufffd\ufffd\\r6\ufffd\ufffdrRa=\ufffd:\/Ji m\ufffd\ufffd,u\ufffd|\ufffdlDG`\ufffd5\ufffd\u0630\ufffd\ufffdy;\ufffd7}\ufffd\\r\ufffd\u07b2\\\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd\u0027\ufffdr\ufffdv\u0022, \u0022target_port_label\u0022: \u00228082 \u00b7 HTTP ALT 8082\u0022, \u0022emulator_service\u0022: \u0022http-alt-8082\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8082\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8082\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228082\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":517},{"id":9198862,"ip":"193.8.186.29","ts":"2026-06-15 14:44:58.000000","proto":"tcp","src_port":56468,"dst_port":8082,"service":"http","classification":"xss_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00227a8d0e6c280b76f893f1d973fb51ae53b8bb4673\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.455349784579637, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022dst_port\u0022: 8082, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ccf9af03d8f8e8c7839c4df77a4a032322efde1\u0022, \u0022event_fingerprint\u0022: \u002224e45377946a33b2067be73083ee876944b91034\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SG\u0022, \u0022asn\u0022: 201002, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5696a699925e22006af19488170e4e2\u0022, \u0022payload_hash\u0022: \u002213ac96e1071c61d8b10b4964687b49b1\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8082, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226642314bef2b7f8d0e29cc6d14e0a9b1c8c6a077\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8082, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8082 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228082 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8082, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8082, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:8082 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8082\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00228082 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228082\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8082\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8082","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7653238,"ip":"193.8.186.29","ts":"2026-05-24 09:11:25.000000","proto":"tcp","src_port":55030,"dst_port":9443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.270039740154434, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00224e4df618d27851fd61b9f4e3d46eb6c568d5d6da\u0022, \u0022event_fingerprint\u0022: \u00223d22311752a415828a3734d1bdce485fdbf1d502\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7653239,"ip":"193.8.186.29","ts":"2026-05-24 09:11:25.000000","proto":"tcp","src_port":55034,"dst_port":9443,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002216538a1bcfcc9930ab514bb8cc61e117e087fd04\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.449590607491731, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u002211487d78e75bf58523d39b43d59a0e8556f7b8af\u0022, \u0022event_fingerprint\u0022: \u0022e597fb3490c397306741fba0befe3cfff27ee87a\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7652230,"ip":"193.8.186.29","ts":"2026-05-24 08:54:30.000000","proto":"tcp","src_port":48772,"dst_port":8080,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.278087382171675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 57, \u0022campaign_key\u0022: \u0022ae8aaa5d2da047e9d18bfdd1c0dcf377a2a56573\u0022, \u0022event_fingerprint\u0022: \u0022dcffac0c20e049fc2da06d3927dc604b1ff79358\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":7652231,"ip":"193.8.186.29","ts":"2026-05-24 08:54:30.000000","proto":"tcp","src_port":48780,"dst_port":8080,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.447336620236348, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022b51a116142cf08521dc3211ea8a2c990384b6a4c\u0022, \u0022event_fingerprint\u0022: \u00225d0b1f96b1f1257fd0e98e0d537c9ec89e8e500b\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7651260,"ip":"193.8.186.29","ts":"2026-05-24 08:34:09.000000","proto":"tcp","src_port":55756,"dst_port":10443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.332166028398285, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u002223dde6fc0a1116ef95b0cfb15bb7d2a5700eaf3d\u0022, \u0022event_fingerprint\u0022: \u0022963d55b8df7be37fe4cc6b57b20ecff1621eeb4a\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7651262,"ip":"193.8.186.29","ts":"2026-05-24 08:34:09.000000","proto":"tcp","src_port":55762,"dst_port":10443,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00222cf5af0b13931b66cab59dd3d82974768acd327c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 400, \u0022payload_entropy\u0022: 5.446326198617309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022cd64762cbd3ef3323a0aeac3a15365262002e9ae\u0022, \u0022event_fingerprint\u0022: \u0022abab8689f9cd2396c292ea70c91cf9363a23bbce\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":400},{"id":7601442,"ip":"193.8.186.29","ts":"2026-05-23 12:46:56.000000","proto":"tcp","src_port":54818,"dst_port":11443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.282616630282951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00229afa8e15fc527169e815ffcd7612a1b9a2878e27\u0022, \u0022event_fingerprint\u0022: \u002246c66d60d11bbd5dc29a9ac47fb8406df5265876\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7601443,"ip":"193.8.186.29","ts":"2026-05-23 12:46:56.000000","proto":"tcp","src_port":54832,"dst_port":11443,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00229ef1b6d504b654fe06cbbf3870a4ee75ac65add6\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 400, \u0022payload_entropy\u0022: 5.449291278110535, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022a3e4e41439439815f3310e94cc4e547074546a28\u0022, \u0022event_fingerprint\u0022: \u0022997ff8ab26e676cad596561f36d6b12bff17f32f\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:11443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":400},{"id":7600462,"ip":"193.8.186.29","ts":"2026-05-23 12:31:29.000000","proto":"tcp","src_port":47522,"dst_port":4443,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.297865853002081, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022fc0cb90134608e48d30f282269579f24a311c1ee\u0022, \u0022event_fingerprint\u0022: \u002219107c4406ce443e3a504932be8e497a4df4196b\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7600463,"ip":"193.8.186.29","ts":"2026-05-23 12:31:29.000000","proto":"tcp","src_port":47538,"dst_port":4443,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022e950df8a5a68e4dcc53c2ea4813456e73c1d6fc9\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.446720314189158, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022b3ca9ddfeb2b1d0d1337a0674f54405e063a997c\u0022, \u0022event_fingerprint\u0022: \u002246787207b8bb4667f0a216f439d637abf48dc130\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:4443","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7594335,"ip":"193.8.186.29","ts":"2026-05-23 10:53:24.000000","proto":"tcp","src_port":46940,"dst_port":8070,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.269443953486874, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u002209ff399d902a8a7ff7b1bdd29ad8a7744d77ca75\u0022, \u0022event_fingerprint\u0022: \u0022738e48f98b7fb226f95d5fbcdbdbaf1319febd78\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7594336,"ip":"193.8.186.29","ts":"2026-05-23 10:53:24.000000","proto":"tcp","src_port":46952,"dst_port":8070,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00222045de7887174d9bf5c5f3b488b17b4b583ca139\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.446107986161978, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022eaa48e0827bebd6503b7a29b01c4086a03f79dd6\u0022, \u0022event_fingerprint\u0022: \u002269761c2c67d85c9fd9cf7cb43cbb86cce95aedcb\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8070","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7591037,"ip":"193.8.186.29","ts":"2026-05-23 10:22:55.000000","proto":"tcp","src_port":54690,"dst_port":8043,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.305659555296482, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022d667405032ff3348e68a4a3646ddbfee0fe1f5f4\u0022, \u0022event_fingerprint\u0022: \u00229d3ff952bb4449ab4fcd39c3869bb9d7ccac1c35\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7591038,"ip":"193.8.186.29","ts":"2026-05-23 10:22:55.000000","proto":"tcp","src_port":54704,"dst_port":8043,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022a21e8130412410f8da5d7966dea2817810a196f5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.44778199007173, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u002240f4ab308184d391b818a66b7e9f228671d38d33\u0022, \u0022event_fingerprint\u0022: \u00228b9839a20f97e3cff669ffd346e3f11eb7aaad9c\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8043","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7590556,"ip":"193.8.186.29","ts":"2026-05-23 10:16:11.000000","proto":"tcp","src_port":56888,"dst_port":8055,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.3215117911008525, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00228192e876fad282dd4a5f469ad868b9b3171e1255\u0022, \u0022event_fingerprint\u0022: \u00229536e10cf37b35bbf438e56e3f83119874addb15\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7590557,"ip":"193.8.186.29","ts":"2026-05-23 10:16:11.000000","proto":"tcp","src_port":56904,"dst_port":8055,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002278f6410bb0ab477a6e31a52663085df6b008f579\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.4484453046243395, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00222ee8751bef4e4df020c3b06526bc106109365b6d\u0022, \u0022event_fingerprint\u0022: \u0022bcf9b3974c43716979ec3f470b4a24b439a9f4e9\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8055","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7589325,"ip":"193.8.186.29","ts":"2026-05-23 09:57:53.000000","proto":"tcp","src_port":38562,"dst_port":8039,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.2567762278729875, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b4ae9e5293a7052000b596578277c4b0f33b2acd\u0022, \u0022event_fingerprint\u0022: \u0022bbc8daf6b6e26ded3c90d970c90a9340f5a30634\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7589326,"ip":"193.8.186.29","ts":"2026-05-23 09:57:53.000000","proto":"tcp","src_port":38570,"dst_port":8039,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022d3f8e236839961e21210ff9f9a1330d79c3cb9e9\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.4490106241461, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00221ee16b12c1d7fc01ded9015c16ca5ea27ca7797d\u0022, \u0022event_fingerprint\u0022: \u0022e4ecdbd62c448782ce560bb06678e3a5849f3af4\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8039","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7588343,"ip":"193.8.186.29","ts":"2026-05-23 09:42:23.000000","proto":"tcp","src_port":44550,"dst_port":8063,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.2794675516132985, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022de89c17b6c7fa99c0ec2abd12d7e97b02df3c537\u0022, \u0022event_fingerprint\u0022: \u002254df8c3fa55de22f3aeb34c21eb46ce30b488ce7\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7588344,"ip":"193.8.186.29","ts":"2026-05-23 09:42:23.000000","proto":"tcp","src_port":44564,"dst_port":8063,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002211ef6ad8aa285418b50a4ce38f4f9b5338f66439\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.4461403308435266, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022ce7e614c4bd52b332a6d6c758e333de7f15ad3b4\u0022, \u0022event_fingerprint\u0022: \u0022a43f939a1402c77a2a289a1971522c075297e8f3\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8063","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7584591,"ip":"193.8.186.29","ts":"2026-05-23 08:28:28.000000","proto":"tcp","src_port":39882,"dst_port":8092,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.302403339378987, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00220359354c9e373c4b7db4d710c36ad88987658008\u0022, \u0022event_fingerprint\u0022: \u0022c37b67ce60d8c31b3531167b5080f0104b0f2e90\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7584592,"ip":"193.8.186.29","ts":"2026-05-23 08:28:28.000000","proto":"tcp","src_port":39896,"dst_port":8092,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002296b332f68b851994e64106cc7a7e4bc3f620096d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.455349784579637, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022b44556c7d13b2997ce82b36138b5e3a5e3f2c68b\u0022, \u0022event_fingerprint\u0022: \u0022fb1f1936b1303a16400aa86ae959c84fa991a9b4\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8092","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7583996,"ip":"193.8.186.29","ts":"2026-05-23 08:13:14.000000","proto":"tcp","src_port":41276,"dst_port":8008,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.2963516056813855, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b895b727a16411909b82ac75bb5382d4b97d4e25\u0022, \u0022event_fingerprint\u0022: \u0022a302fe1b51339da778695f9a90e29b38b8c02a07\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7583997,"ip":"193.8.186.29","ts":"2026-05-23 08:13:14.000000","proto":"tcp","src_port":41288,"dst_port":8008,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00222f04469f58c087671b6a6ba85c59ddf7574837ab\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.447336620236348, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u002240b2fb2faa5eeeaa66f4b9be6c4318ce218cfa8d\u0022, \u0022event_fingerprint\u0022: \u0022bb9133595103ef077b7f4a33ee4e8414f3b782a1\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8008","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7582145,"ip":"193.8.186.29","ts":"2026-05-23 07:30:03.000000","proto":"tcp","src_port":42900,"dst_port":8085,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.284020851651728, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022a08df34777ba1aa12e61e52913a3435a1273543e\u0022, \u0022event_fingerprint\u0022: \u0022e77a12ef679081d85d71547c686cad5362d12487\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7582146,"ip":"193.8.186.29","ts":"2026-05-23 07:30:03.000000","proto":"tcp","src_port":42910,"dst_port":8085,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u00228307e910dac7083f4f0d52abcc8375f89d55b254\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.451315597926913, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022d8886d36a36e5e7e490975e0991baeb22205c72f\u0022, \u0022event_fingerprint\u0022: \u002239b0e5af9c5a517e28c065fe67fd86bf8be318fa\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8085","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7582115,"ip":"193.8.186.29","ts":"2026-05-23 07:29:01.000000","proto":"tcp","src_port":58382,"dst_port":8084,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.268489263100471, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022875e58b70b77ad56082d088a7a9e2ae312206092\u0022, \u0022event_fingerprint\u0022: \u0022c822b72a173cfe2a5459cae9c7f0cbc4dfe23958\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7582116,"ip":"193.8.186.29","ts":"2026-05-23 07:29:01.000000","proto":"tcp","src_port":58396,"dst_port":8084,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002252139ff216422f6e734a2f69155b92f0ec67e9f8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.452229201878291, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022725acd910458c30c9123c8d5ff30297343eac087\u0022, \u0022event_fingerprint\u0022: \u002248a526e05534d8539f5d9361c06873fd5b78138c\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8084","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7581470,"ip":"193.8.186.29","ts":"2026-05-23 07:12:00.000000","proto":"tcp","src_port":40644,"dst_port":8072,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.299208628861316, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022fe4f9602d40c2ea8be84341d63ea936436364c65\u0022, \u0022event_fingerprint\u0022: \u002226dbc4dfe9889044ad0a5060198b8222e080df78\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7581471,"ip":"193.8.186.29","ts":"2026-05-23 07:12:00.000000","proto":"tcp","src_port":40658,"dst_port":8072,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u002227f1dd72fe3d86ab720a36799bf3501f85a109d7\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.454121150505268, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022c64e6435bf6090f53e759a818c7976dc5ca12d84\u0022, \u0022event_fingerprint\u0022: \u0022d8cb2cdcc58962377de66e6a6ce7053774ded4f6\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8072","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399},{"id":7580221,"ip":"193.8.186.29","ts":"2026-05-23 06:41:43.000000","proto":"tcp","src_port":35274,"dst_port":8093,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022511534a5dbb144576d046b0d2aeb5fb7\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 4.292726261424275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022eab69ce2b6c6357552edd5040268ddd5e0de598f\u0022, \u0022event_fingerprint\u0022: \u002220b4671e28f22b9cae77df4dd00f459655be08ed\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"511534a5dbb144576d046b0d2aeb5fb7","tls_ja3":"771,4866-4867-4865-49196-49200-52393-52392-49327-49325-49245-49249-49195-49199-49326-49324-49244-49248-49188-49192-49267-49271-49187-49191-49266-49270-49162-49172-49161-49171-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":517},{"id":7580222,"ip":"193.8.186.29","ts":"2026-05-23 06:41:43.000000","proto":"tcp","src_port":35286,"dst_port":8093,"service":"http","classification":"web_attack","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220cb97fa2c09bb17e5169eb608f71e610635ab915\u0022, \u0022http_host_hash\u0022: \u0022f4fa47ba93fbf7d5760822f3260769e77df88191\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 399, \u0022payload_entropy\u0022: 5.4490106241461, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022PebbleHost Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 201002, \u0022country\u0022: \u0022SG\u0022, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00225b75108e3a14ce19d735a6524345f412afdba171\u0022, \u0022event_fingerprint\u0022: \u0022d929217a9b473bf2bf8776e1b32a9f2c23c1ed06\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8093","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":399}],"total_events":134}