Détails IP 198.235.24.240

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 07/01/2026 00:35 UTC

Dernière observation 16/06/2026 19:59 UTC

Événements (période) 31

MITRE ATT&CK principal TA0007 7 occurrences

Activité suspecte · risque 45/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « smtp_probe » (signaux protocolaires) · confiance 50%

Confiance 50 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 198.235.24.0/24 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 31 événements sur la période pour cette IP.

147.185.132.88 Sonde Bitcoin 16/06/2026 22:49 UTC
205.210.31.59 imap bruteforce 16/06/2026 22:48 UTC
205.210.31.70 Scanner web 16/06/2026 22:46 UTC
162.216.149.82 Scanner web 16/06/2026 22:45 UTC
147.185.132.60 Sonde PostgreSQL 16/06/2026 22:44 UTC
35.203.210.230 Scanner web 16/06/2026 22:41 UTC
147.185.133.132 Scanner web 16/06/2026 22:40 UTC
35.203.211.42 Scanner web 16/06/2026 22:40 UTC

Événements (filtres)

Première observation

07/01/2026 00:35 UTC

Dernière observation

16/06/2026 19:59 UTC

Dernière activité (filtres)

16/06/2026 19:59 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 12 HTTP TCP 6 RDP TCP 3 SMTP SUBMISSION TCP 1 MQTT TCP 1

TLS

HTTP

RDP

SMTP SUBMISSION

MQTT

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 253 Port 587 smtp_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

smtp probe · via SMTP SUBMISSION:587 · (sonde / probe)

Détails protocole

SMTP: Sonde protocole SMTP

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:587 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-c

Port / service

587 · SMTP SUBMISSION

Service émulé

SMTP-SUBMISSION

Raison confiance

Confiance 50 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0460

Confiance

50% Confiance modérée — signal unique

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

31 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

31 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 19:59:03 UTC	TCP	587 · SMTP SUBMISSION	smtp-submission	Sonde SMTP smtp probe · via SMTP SUBMISSION:587 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMTP-SUBMISSION WAF — Recommandation Surveiller Tags http_get_probe mongodb_hello_probe net_smtp_probe smtp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 587 Chemin / cible — Service SMTP SUBMISSION Payload GET / HTTP/1.1 Host: 62.3.50.33:587 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-c Pourquoi cette classification : Type « smtp_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0460 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:587 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-c Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:587 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "323230206d61696c2e6578616d706c652e636f6d2045534d545020506f737466697820285562756e7475290d0a35303220352e352e32204572726f723a20636f6d6d616e64206e6f74207265636f676e697a65640d0a", "emulator_response_len": 86, "bytes_in": 217, "payload_entropy": 5.1036331775748005, "port_category": "well_known", "org": "Google LLC", "service": "smtp-submission", "app_proto": "smtp-submission", "asn": 396982, "country": "US", "dst_port": 587, "risk_waf": 8, "risk_classification": 47, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 8, "classification": 47, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4415fda42e223cd839ea474ee439b8524c421754", "event_fingerprint": "a4eb3bdaea671903d3ce718aa560d7f3c055f5fb", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0460" ], "classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 47, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "service_name": "smtp-submission", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bf0d7be4b77432d9123db6d6b24fc1c1", "path_pattern_hash": "0585f924ca84c34a681a0e1500b9f97a" }, "target_context": { "dst_port": 587, "service": "smtp-submission", "service_name": "smtp-submission", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bbd2e8e4759af236bc4e62eec099645f7fc1b9ab", "protocol_details": { "smtp_auth_fr": "Sonde protocole SMTP", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "port": 587, "service": "smtp-submission", "service_label_fr": "SMTP SUBMISSION" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "attack_vector": "smtp probe \u00b7 via SMTP SUBMISSION:587 \u00b7 (sonde \/ probe)", "target_port_label": "587 \u00b7 SMTP SUBMISSION", "emulator_service": "smtp-submission", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 47, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "smtp-submission", "service_label_fr": "SMTP SUBMISSION", "dst_port": 587, "protocol_emulated": true, "tags_summary": [ "pat-0460" ], "tags_summary_labels_fr": [ "pat-0460" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smtp-submission", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "smtp_auth_fr": "Sonde protocole SMTP", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "port": 587, "service": "smtp-submission", "service_label_fr": "SMTP SUBMISSION" }, "attack_vector": "smtp probe \u00b7 via SMTP SUBMISSION:587 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:587\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c", "target_port_label": "587 \u00b7 SMTP SUBMISSION", "emulator_service": "smtp-submission", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smtp_submission", "service_banner": "honeypot-smtp-submission", "service_os": "linux", "dst_port": "587" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mongodb_hello_probe", "net_smtp_probe", "smtp_emulated" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
08/06/2026 05:50:39 UTC	TCP	10257 · HTTP	http	Scanner web web scanner · via HTTP:10257 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET / UA Hello from Palo Alto Networks, find out more about our scans in… Émulateur HTTP WAF 23 Recommandation Surveiller Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10257 Chemin / cible / Service HTTP Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100% Confiance classification 100% Risque capteur Moyen · 48 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux Scanner Palo Alto Upstream Waf Score Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass UA Palo Alto Networks Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF lfi-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10257 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10257 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "2132f13275b966b13d6f20a0a04ff287b95961d2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 219, "payload_entropy": 5.108059523507308, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 10257, "risk_waf": 57.5, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.4, "risk_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e7d7c71f846b9dd876c64dca0c43cdbb123e9bea", "event_fingerprint": "faced1cbee89050b68848d8b366c39eddb5d93eb", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0460" ], "matched_pattern_names": [ "LFI Double-dot bypass", "UA Palo Alto Networks" ], "pattern_ids": [ "pat-0103", "pat-0460" ], "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ce3935d92be5f9290d282e51ab604b41", "payload_hash": "fd1657ba177b45fd0b8da139a7739559", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10257, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs", "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs", "evidence": { "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b620ad0e5dd0c92a99ba0ec97c2b16650e7a0e0c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 10257, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs", "attack_vector": "web scanner \u00b7 via HTTP:10257 \u00b7 (sonde \/ probe)", "target_port_label": "10257 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10257, "protocol_emulated": true, "tags_summary": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Scanner Palo Alto", "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "kube-controller-manager", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 10257, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "web scanner \u00b7 via HTTP:10257 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10257\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs", "target_port_label": "10257 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kube-controller", "service_banner": "kube-controller-manager", "service_os": "linux", "dst_port": "10257" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_ua_disclosed_scanner", "net_web_probe" ], "asn_dc_heuristic": true }
07/06/2026 18:25:15 UTC	TCP	10004 · TLS	tls	Sonde port 10004/TCP port 10004 tcp · via TLS:10004 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 16ee84a07b55074c Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10004 Chemin / cible — Preuve honeypot — Sonde port 10004/TCP Connexion détectée sur le port 10004 (TCP) du capteur simulé. Service TLS Payload ieU��random1random2random3random4 / 9�0 ,* Pourquoi cette classification : Type « port_10004_tcp » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ieU��random1random2random3random4/ 9�0 ,* Meta JSON brut { "tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 5, "bytes_in": 110, "payload_entropy": 4.269606220838881, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 10004, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9f673d21d702bcff323cb8235916bef90f813669", "event_fingerprint": "87e38a33bab9e83257c904778d56b36280ef5bba", "classification_reason": "Type \u00ab port_10004_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 40, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "16ee84a07b55074cb2751329bf1c8811", "payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8", "path_pattern_hash": "8ff328f88430fa1b70a4a3792d4ec9a2", "ja4": "011b865e5f91ae5e1836c88110724dcb", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,47-10-19-57-4-255,13,,", "tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb", "tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 10004, "service": "tls", "service_name": "tls", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "classification_reason": "Type \u00ab port_10004_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f8e1d39b51576c41c7621c4da1de42783a87d23c", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 10004, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,", "attack_vector": "port 10004 tcp \u00b7 via TLS:10004 \u00b7 (sonde \/ probe)", "target_port_label": "10004 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10004_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_10004_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 40\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 57 % \u2014 via TLS \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 10004, "protocol_emulated": null, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 10004, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port 10004 tcp \u00b7 via TLS:10004 \u00b7 (sonde \/ probe)", "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*", "target_port_label": "10004 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "10004" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "port:10004", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
07/06/2026 18:25:15 UTC	TCP	10004 · TLS	tls	Sonde TLS tls probe · via TLS:10004 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 004556e859f3c26c Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10004 Chemin / cible — Service TLS Payload ��0c ��J��oCVb/M'x�rH2Z{�{� ]�?��v��Ѡ�8H_�!(��DG��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Pourquoi cette classification :* Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��0c��J��oCVb/M'x�rH2Z{�{� ]�?��v��Ѡ�8H_�!(��DG��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��0c ��J��oCVb/M'x�rH2Z{�{� ]�?��v��Ѡ�8H_�!(��DG��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u # 0. + -3& Meta JSON brut { "tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 517, "payload_entropy": 3.9752153491498503, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 10004, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9f673d21d702bcff323cb8235916bef90f813669", "event_fingerprint": "d4a1415ad8e9029009ffe478338a3fd823aec319", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "004556e859f3c26c5d19746b3a957c74", "payload_hash": "486b4cefd5df2a8ebc28fc24906d9355", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 10004, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "47955427347a90adb3f2753db96b6357bbe7360a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "004556e859f3c26c5d19746b3a957c74", "port": 10004, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0c\ufffd\ufffdJ\ufffd\ufffdoCVb\/M'x\ufffdrH2Z{\ufffd{\ufffd ]\ufffd?\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0460\ufffd8H_\ufffd!(\ufffd\ufffdDG\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "attack_vector": "tls probe \u00b7 via TLS:10004 \u00b7 (sonde \/ probe)", "target_port_label": "10004 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0007 \u2014 confiance 58 % \u2014 via TLS \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 10004, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd0c\f\ufffd\ufffdJ\ufffd\ufffdoCVb\u0002\u0002\/M'x\ufffdrH2Z{\ufffd{\ufffd \u0006]\ufffd?\u000f\ufffd\ufffd\u0012\ufffd\u001dv\ufffd\ufffd\ufffd\u0460\ufffd8\u000eH_\ufffd!(\ufffd\ufffdD\u0012G\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "tls_ja3": "004556e859f3c26c5d19746b3a957c74", "port": 10004, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:10004 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0c\ufffd\ufffdJ\ufffd\ufffdoCVb\/M'x\ufffdrH2Z{\ufffd{\ufffd ]\ufffd?\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0460\ufffd8H_\ufffd!(\ufffd\ufffdDG\ufffd\ufffd*>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd", "target_port_label": "10004 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "10004" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "port:10004", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
07/06/2026 18:25:12 UTC	TCP	10004	—	Sonde port Sonde port · port 10004 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10004 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 10004, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "cf5e2d8903c20a2715fff95f2c2d222b806eca86", "event_fingerprint": "1838f59485d47f899577198441c4be74341fc0a8", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 10004, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "706283f66f3ecb2cc2d01b8950df009acdb1128a", "protocol_details": { "port": 10004 }, "attack_vector": "Sonde port \u00b7 port 10004 \u00b7 (sonde \/ probe)", "target_port_label": "10004", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 %", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 10004, "protocol_emulated": null, "tags_summary": [ "INT-single-port" ], "tags_summary_labels_fr": [ "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 10004 }, "attack_vector": "Sonde port \u00b7 port 10004 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "10004", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "10004" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 16:55:56 UTC	TCP	3389 · RDP	rdp	Sonde RDP rdp probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RDP WAF — Recommandation Investiguer Tags net_rdp_cookie rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Négociation protocole RDP · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0347 pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP NTLM hash RDP TPKT header PostgreSQL startup ET H.323 setup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello User-Agent — Règles WAF — Payload (extrait) ,'�Cookie: mstshash=tkMYsa ��y�Ip�� ;�ݣP��L<��c � ��ѝ�v�n��f�� =pg<&\��.&�+�/�, Requête brute (extrait) ,'�Cookie: mstshash=tkMYsa ��y�Ip�� ;�ݣP��L<��c � ��ѝ�v�n��f�� =pg<&\��.&�+�/�,�0̨̩� �� /5� { �+ 3&$ � Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed000001234000200080000000000", "emulator_response_len": 19, "bytes_in": 287, "payload_entropy": 5.91119938279526, "port_category": "registered", "org": "Google LLC", "service": "rdp", "app_proto": "rdp", "asn": 396982, "country": "US", "dst_port": 3389, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "40bf2c34d73676fee23426938806aaa527b96fcb", "event_fingerprint": "ad5bc6c1132c10ce0e88d551a1bd2cf31dc3757e", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0347", "pat-0348" ], "kb_rule_ids": [ "pat-0347", "pat-0348" ], "matched_patterns": [ "pat-0347", "pat-0348", "pat-0369", "pat-0868", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "RDP NTLM hash", "RDP TPKT header", "PostgreSQL startup", "ET H.323 setup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0347", "pat-0348", "pat-0369", "pat-0868", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07408e4ffdf30dbd4bc63d94824647fe", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 50 }, "payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=tkMYsa\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\ufffdIp\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffd\u001ac\n\ufffd\u000e \ufffd\ufffd\u0012\u045d\u001c\u0005\ufffd\u0000v\ufffdn\u0017\ufffd\ufffdf\ufffd\ufffd\u001f \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.\u0000&\ufffd+\ufffd\/\ufffd,", "request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=tkMYsa\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\ufffdIp\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffd\u001ac\n\ufffd\u000e \ufffd\ufffd\u0012\u045d\u001c\u0005\ufffd\u0000v\ufffdn\u0017\ufffd\ufffdf\ufffd\ufffd\u001f \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd", "payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=tkMYsa\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\ufffdIp\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffd\u001ac\n\ufffd\u000e \ufffd\ufffd\u0012\u045d\u001c\u0005\ufffd\u0000v\ufffdn\u0017\ufffd\ufffdf\ufffd\ufffd\u001f \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.\u0000&\ufffd+\ufffd\/\ufffd,", "evidence": { "request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=tkMYsa\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\ufffdIp\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffd\u001ac\n\ufffd\u000e \ufffd\ufffd\u0012\u045d\u001c\u0005\ufffd\u0000v\ufffdn\u0017\ufffd\ufffdf\ufffd\ufffd\u001f \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd", "payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=tkMYsa\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\ufffdIp\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffd\u001ac\n\ufffd\u000e \ufffd\ufffd\u0012\u045d\u001c\u0005\ufffd\u0000v\ufffdn\u0017\ufffd\ufffdf\ufffd\ufffd\u001f \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.\u0000&\ufffd+\ufffd\/\ufffd,", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a949453bd51b4b62dc12ee8d1808a36c78f437f", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": ",'\ufffdCookie: mstshash=tkMYsa\r\n\ufffd\ufffdy\ufffdIp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffdc\n\ufffd \ufffd\ufffd\u045d\ufffdv\ufffdn\ufffd\ufffdf\ufffd\ufffd \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.&\ufffd+\ufffd\/\ufffd,", "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "classification_reason_label_fr": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0347", "pat-0348" ], "tags_summary_labels_fr": [ "pat-0347", "pat-0348" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": ",'\ufffdCookie: mstshash=tkMYsa\r\n\ufffd\ufffdy\ufffdIp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd;\ufffd\u0763P\ufffd\ufffdL<\ufffd\ufffd\ufffd\ufffdc\n\ufffd \ufffd\ufffd\u045d\ufffdv\ufffdn\ufffd\ufffdf\ufffd\ufffd \ufffd\ufffd\ufffd=pg<&\\\ufffd\ufffd.&\ufffd+\ufffd\/\ufffd,", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_rdp_cookie", "rdp_cookie", "rdp_emulated" ], "asn_dc_heuristic": true }
07/06/2026 16:55:56 UTC	TCP	3389 · RDP	rdp	Sonde PostgreSQL postgres probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 795bc7ce13f60d61 Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_probe rdp_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��e�T�c�K��ك� ��,��^]o��EB�>h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Requête brute (extrait) ��e�T�c�K��ك� ��,��^]o��EB�>h��/�+�0�,��'�#�� (�$�� gk39��<=/5� 2�8@fj��5 � Meta JSON brut { "protocol_emulated": true, "bytes_in": 207, "payload_entropy": 4.993667346191395, "port_category": "registered", "org": "Google LLC", "service": "rdp", "app_proto": "rdp", "asn": 396982, "country": "US", "dst_port": 3389, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5cb9b53baf1209ea6c81c49a02d920dd293de6a4", "event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4db470b6d0525e9112a99dbf40fb0531", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "ja4": "bcc542a5296d13201e694c8f5aa448d9", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0", "tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9", "tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 40 }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60e99ba54ecad884c209f4a24c0394c32e96b2fe", "protocol_details": { "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd\ufffde\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffde\ufffdT\ufffdc\ufffdK\ufffd\ufffd\ufffd\ufffd\u0643\ufffd\r\ufffd\ufffd,\ufffd\ufffd\ufffd\ufffd^]o\ufffd\ufffdEB\ufffd>h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_probe", "rdp_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
07/06/2026 16:55:55 UTC	TCP	3389 · RDP	rdp	Sonde RDP rdp probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RDP WAF — Recommandation Investiguer Tags net_rdp_cookie rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Négociation protocole RDP · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0347 pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP NTLM hash RDP TPKT header ET H.323 setup Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) '"�Cookie: mstshash=ZGQVAsJHK ��e��0"��0 0�� Requête brute (extrait) '"�Cookie: mstshash=ZGQVAsJHK ��e��0"��0 0��/\|�&�Duca�� ( EMP-LAP-0014 Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed000001234000200080000000000", "emulator_response_len": 19, "bytes_in": 451, "payload_entropy": 3.8391800416313604, "port_category": "registered", "org": "Google LLC", "service": "rdp", "app_proto": "rdp", "asn": 396982, "country": "US", "dst_port": 3389, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "40bf2c34d73676fee23426938806aaa527b96fcb", "event_fingerprint": "ad5bc6c1132c10ce0e88d551a1bd2cf31dc3757e", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0347", "pat-0348" ], "kb_rule_ids": [ "pat-0347", "pat-0348" ], "matched_patterns": [ "pat-0347", "pat-0348", "pat-0868", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP NTLM hash", "RDP TPKT header", "ET H.323 setup", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0347", "pat-0348", "pat-0868", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52ce44b2c3de058cf820cb0f58ebedea", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 50 }, "payload_preview": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=ZGQVAsJHK\r\n\u0003\u0000\u0001\ufffd\u0002\ufffd\ufffde\ufffd\u0001\ufffd\u0004\u0001\u0001\u0004\u0001\u0001\u0001\u0001\ufffd0\u0019\u0002\u0001\"\u0002\u0001\u0002\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u00020\u0019\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\u0004 \u0002\u0001\u00020\u001c\u0002\u0002\ufffd\ufffd\u0002\u0002\ufffd\u0017\u0002\u0002\ufffd\ufffd", "request_sample": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=ZGQVAsJHK\r\n\u0003\u0000\u0001\ufffd\u0002\ufffd\ufffde\ufffd\u0001\ufffd\u0004\u0001\u0001\u0004\u0001\u0001\u0001\u0001\ufffd0\u0019\u0002\u0001\"\u0002\u0001\u0002\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u00020\u0019\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\u0004 \u0002\u0001\u00020\u001c\u0002\u0002\ufffd\ufffd\u0002\u0002\ufffd\u0017\u0002\u0002\ufffd\ufffd\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u0002\u0004\ufffd\u0001\/\u0000\u0005\u0000\u0014\|\u0000\u0001\ufffd&\u0000\b\u0000\u0010\u0000\u0001\ufffd\u0000Duca\ufffd\u0018\u0001\ufffd\ufffd\u0000\u0004\u0000\b\u0000\u0000\u0005 \u0003\u0001\ufffd\u0003\ufffd\t\b\u0000\u0000(\n\u0000\u0000E\u0000M\u0000P\u0000-\u0000L\u0000A\u0000P\u0000-\u00000\u00000\u00001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=ZGQVAsJHK\r\n\u0003\u0000\u0001\ufffd\u0002\ufffd\ufffde\ufffd\u0001\ufffd\u0004\u0001\u0001\u0004\u0001\u0001\u0001\u0001\ufffd0\u0019\u0002\u0001\"\u0002\u0001\u0002\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u00020\u0019\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\u0004 \u0002\u0001\u00020\u001c\u0002\u0002\ufffd\ufffd\u0002\u0002\ufffd\u0017\u0002\u0002\ufffd\ufffd", "evidence": { "request_sample": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=ZGQVAsJHK\r\n\u0003\u0000\u0001\ufffd\u0002\ufffd\ufffde\ufffd\u0001\ufffd\u0004\u0001\u0001\u0004\u0001\u0001\u0001\u0001\ufffd0\u0019\u0002\u0001\"\u0002\u0001\u0002\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u00020\u0019\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\u0004 \u0002\u0001\u00020\u001c\u0002\u0002\ufffd\ufffd\u0002\u0002\ufffd\u0017\u0002\u0002\ufffd\ufffd\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u0002\u0004\ufffd\u0001\/\u0000\u0005\u0000\u0014\|\u0000\u0001\ufffd&\u0000\b\u0000\u0010\u0000\u0001\ufffd\u0000Duca\ufffd\u0018\u0001\ufffd\ufffd\u0000\u0004\u0000\b\u0000\u0000\u0005 \u0003\u0001\ufffd\u0003\ufffd\t\b\u0000\u0000(\n\u0000\u0000E\u0000M\u0000P\u0000-\u0000L\u0000A\u0000P\u0000-\u00000\u00000\u00001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=ZGQVAsJHK\r\n\u0003\u0000\u0001\ufffd\u0002\ufffd\ufffde\ufffd\u0001\ufffd\u0004\u0001\u0001\u0004\u0001\u0001\u0001\u0001\ufffd0\u0019\u0002\u0001\"\u0002\u0001\u0002\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\ufffd\ufffd\u0002\u0001\u00020\u0019\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0001\u0002\u0001\u0000\u0002\u0001\u0001\u0002\u0002\u0004 \u0002\u0001\u00020\u001c\u0002\u0002\ufffd\ufffd\u0002\u0002\ufffd\u0017\u0002\u0002\ufffd\ufffd", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09e41d2eacac6ba4b85aa85f4dd7375c43045c4f", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "'\"\ufffdCookie: mstshash=ZGQVAsJHK\r\n\ufffd\ufffd\ufffde\ufffd\ufffd\ufffd0\"\ufffd\ufffd0 0\ufffd\ufffd\ufffd\ufffd\ufffd", "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "classification_reason_label_fr": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0347", "pat-0348" ], "tags_summary_labels_fr": [ "pat-0347", "pat-0348" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": "'\"\ufffdCookie: mstshash=ZGQVAsJHK\r\n\ufffd\ufffd\ufffde\ufffd\ufffd\ufffd0\"\ufffd\ufffd0 0\ufffd\ufffd\ufffd\ufffd\ufffd", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_rdp_cookie", "rdp_cookie", "rdp_emulated" ], "asn_dc_heuristic": true }
06/06/2026 23:46:16 UTC	TCP	5910	—	Sonde port	Faible	Moyen · 44
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5910 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 5910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "c47ef9692cdd7a809b4a5289a9a720c5164f54e2", "event_fingerprint": "0c2f815141fd76b5f5c905904ab86996c5f9d483", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 5910, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd27597eefbd29a936c5c4e7999a724d208284eb", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "5910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
04/06/2026 02:07:07 UTC	TCP	2087	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��B�� im9�� $��n�%ߛ�,�� 4%#�~-Go�w䏐7<h�/��?z�&�+�/�,�0̨̩� �� /5� { Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.826775903938798, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2087, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9dd8f5c85a887493f1e796c0616b327e9c11f965", "event_fingerprint": "c12122c2e625214e3c08c4f3b2f91b9d3850d755", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "fd82eece1ccebe9f7962dbdb083d325c", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2087, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\u001c\ufffd\ufffd \u000bim9\u0001\ufffd\ufffd\ufffd \ufffd$\u0000\ufffd\ufffd\ufffd\ufffd\u0017\ufffdn\ufffd%\u07db\ufffd,\ufffd\ufffd \ufffd4%\u0003#\ufffd~-\u000bGo\ufffdw\u43d07<h\ufffd\/\ufffd\ufffd\ufffd\u0013\ufffd\ufffd?z\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "4253d07e1eeb547486f13391f9318a1d32e64dfe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 02:07:07 UTC	TCP	2087	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��g�9�;�f�\��;�8�� W��]!�M'h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Meta JSON brut { "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 29, "bytes_in": 207, "payload_entropy": 4.9260344959498505, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2087, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9dd8f5c85a887493f1e796c0616b327e9c11f965", "event_fingerprint": "6267d4d6344dbf705c3d690c1775833bbeae0f43", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "payload_hash": "18fbefef89a60219c9ced329368a9099", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2087, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffd9\ufffd;\ufffdf\ufffd\\\ufffd\ufffd;\u0007\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\rW\ufffd\ufffd]!\ufffdM'\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "event_signature": "12ee47157578e5699def648f3f015177625d4c85", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
03/06/2026 22:21:08 UTC	TCP	16010	http	Scanner web	Élevée	Moyen · 42
Étape Sonde / probe MITRE TA0007 TA0001 WAF 23 Recommandation Surveiller Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16010 Chemin / cible / Confiance classification 95% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.0 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 185, "payload_entropy": 4.938089755714326, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 16010, "risk_waf": 57.5, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 57.5, "classification": 48, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5f60db14b24ca9291066c0eb883d30fcd1643d9d", "event_fingerprint": "b2e07cdb958b18fd76da4c2826993ae15435453f", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ce3935d92be5f9290d282e51ab604b41", "payload_hash": "408dddfd3211eda1263e9161f0d91c4d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16010, "service": "http" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks", "event_signature": "48c20f765b14261b3d82b706c938548f2a0040fc", "ban_policy": "advisory_monitor", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_ua_disclosed_scanner" ], "asn_dc_heuristic": true }
01/06/2026 02:29:05 UTC	TCP	987	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 15:53:11 UTC	TCP	8022	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 21:30:21 UTC	TCP	20257	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 20:27:50 UTC	TCP	8883	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 20:27:49 UTC	TCP	8883	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 23:57:27 UTC	TCP	8020	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8020 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "484629fbfedce591fd570c43c91ddc8f3cbc73ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.100647144002227, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "5dc1a5fa114130cd97ada022e9306ea420b250bf", "event_fingerprint": "e7aa3deaadb03b61331a5255954d3b45fd1b4007", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
27/05/2026 22:58:22 UTC	TCP	2484	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 20:03:24 UTC	TCP	1883	mqtt	mqtt probe	Élevée	Moyen · 50
Étape — WAF — Recommandation — Tags mqtt_connect Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 00:16:55 UTC	TCP	1717	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1717 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "0e7cddfca05bc734e8f69a8802b6b4f5cb2ce93a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.091014733588879, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "e1585c1eb58449817b4fc4b37b699cf0fa8fcc7a", "event_fingerprint": "48671016b7a2b26d8bce7dbf69be9659a11f7b6c", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
24/05/2026 03:40:21 UTC	TCP	20256	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 02:15:02 UTC	TCP	8020	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8020 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "484629fbfedce591fd570c43c91ddc8f3cbc73ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.100647144002227, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "5dc1a5fa114130cd97ada022e9306ea420b250bf", "event_fingerprint": "e7aa3deaadb03b61331a5255954d3b45fd1b4007", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
20/05/2026 18:58:15 UTC	TCP	25789	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
20/05/2026 18:58:15 UTC	TCP	25789	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
20/05/2026 00:26:13 UTC	TCP	5289	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 23:51:38 UTC	TCP	7547	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7547 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 185, "payload_entropy": 4.938089755714326, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "08f3da32e8470d895f5e91f41ca002b677fbcac3", "event_fingerprint": "c8752c37034632ca0deafd712cf3d045fd8726cc", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
19/05/2026 19:44:13 UTC	TCP	5907	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 05:30:41 UTC	TCP	8088	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 05:30:41 UTC	TCP	8088	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 04:58:10 UTC	TCP	2001	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1

198.235.24.240

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence