{"ip":"203.113.107.63","exported_at":"2026-06-18T02:41:22+00:00","period_days":7,"metrics":{"events7d":9,"distinct_ports":3,"distinct_classifications":4,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":48,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.95,"risk_breakdown":{"waf":8,"classification":54,"behavior":0,"geo":0,"protocol":36,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1110","top_mitre_technique":"TA0007","top_mitre_count":7,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 48\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":54,"behavior":0,"geo":0,"protocol":36,"novelty":0,"risk_score":48},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":95,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Db Mysql Auth","Upstream"],"tags_summary":["INT-DB-mysql-auth","INT-upstream"],"attack_vector":"mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)","protocol_details":{"mysql_auth_fr":"Handshake MySQL (auth)","payload_preview":"B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000","port":3306,"service":"mysql","service_label_fr":"MYSQL"},"protocol_summary_fr":"Handshake MySQL (auth) \u00b7 Payload B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_pa\u2026 \u00b7 MYSQL:3306","evidence_snippet":"B\ufffd\ufffd@rootmysqlmysql_native_password","target_port_label":"3306 \u00b7 MYSQL","emulator_service":"mysql","confidence_reason":"Confiance 95 % \u2014 3 signal(aux) capteur","classification_reason":"Poign\u00e9e de main MySQL \u00b7 confiance 95%","classification_reason_label_fr":"Poign\u00e9e de main MySQL \u00b7 confiance 95%","confidence_factors_fr":"Confiance 95 % \u2014 Score WAF 8","payload_preview":"B\ufffd\ufffd@rootmysqlmysql_native_password"},"events":[{"id":9289018,"ip":"203.113.107.63","ts":"2026-06-15 18:02:44.000000","proto":"tcp","src_port":51483,"dst_port":3306,"service":"mysql","classification":"mysql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400\u0022, \u0022emulator_response_len\u0022: 60, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mysql\u0022, \u0022app_proto\u0022: \u0022mysql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 3306, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bef1cad8d681313ebc2fad5890e78941ae733f15\u0022, \u0022event_fingerprint\u0022: \u00227e64d2ea7efbfd080eb620b69c685e7503a67a61\u0022, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 87, \u0022precision_signals\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022f92b97805e8111d6d69ad0f096b65c87\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251c4f619223cf8f2e8fe95a8f161b5010a39cc38\u0022, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022, \u0022dst_port\u0022: 3306, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Db Mysql Auth\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mysql\u0022, \u0022service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223306\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9289024,"ip":"203.113.107.63","ts":"2026-06-15 18:02:44.000000","proto":"tcp","src_port":51520,"dst_port":3306,"service":"mysql","classification":"mysql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400\u0022, \u0022emulator_response_len\u0022: 60, \u0022bytes_in\u0022: 70, \u0022payload_entropy\u0022: 3.340427396359359, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mysql\u0022, \u0022app_proto\u0022: \u0022mysql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 3306, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bef1cad8d681313ebc2fad5890e78941ae733f15\u0022, \u0022event_fingerprint\u0022: \u00227e64d2ea7efbfd080eb620b69c685e7503a67a61\u0022, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 87, \u0022precision_signals\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa74385965b648f49d9603d41c99267c\u0022, \u0022path_pattern_hash\u0022: \u0022f92b97805e8111d6d69ad0f096b65c87\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022request_sample\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022payload_snippet\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022payload_snippet\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226e34d97a654c8a70ea49c8ec2bd31742572465f2\u0022, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022payload_preview\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022evidence_snippet\u0022: \u0022B\ufffd\ufffd@rootmysqlmysql_native_password\u0022, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022, \u0022dst_port\u0022: 3306, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Db Mysql Auth\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022payload_preview\u0022: \u0022B\\u0000\\u0000\\u0001\ufffd\ufffd\\u000e\\u0000\\u0000\\u0000\\u0000@\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000root\\u0000\\u0000mysql\\u0000mysql_native_password\\u0000\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022B\ufffd\ufffd@rootmysqlmysql_native_password\u0022, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mysql\u0022, \u0022service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223306\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":70},{"id":9283168,"ip":"203.113.107.63","ts":"2026-06-15 17:04:38.000000","proto":"tcp","src_port":65239,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.775885996013431, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b82edc85ccfccb9933b235c8b96d99fe50ee52d8\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002253453621b1d1f71ab7ee00b2c2b074bd\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022612c935af483e3e8603b1a67f9789f2d058b94e0\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_bruteforce\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_bruteforce\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9283139,"ip":"203.113.107.63","ts":"2026-06-15 17:04:35.000000","proto":"tcp","src_port":64528,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.775885996013431, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002253453621b1d1f71ab7ee00b2c2b074bd\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239124017b523a487804cf3fdb444d805c0256c62\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9283092,"ip":"203.113.107.63","ts":"2026-06-15 17:04:30.000000","proto":"tcp","src_port":63411,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.775885996013431, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002253453621b1d1f71ab7ee00b2c2b074bd\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239124017b523a487804cf3fdb444d805c0256c62\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9283039,"ip":"203.113.107.63","ts":"2026-06-15 17:04:25.000000","proto":"tcp","src_port":62427,"dst_port":1433,"service":"mssql","classification":"mssql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221a5b2fa475f95e8d817d64405cb3644e25f7ec32\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.08, \u0022classification_confidence\u0022: 0.08, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00226d4ca317e1154f7afb07772c79279a04\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226b7a6df5d89ce56b26b7300a9dcbd23c6a4f162\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 8, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 21, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022net_mssql_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022net_mssql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9283043,"ip":"203.113.107.63","ts":"2026-06-15 17:04:25.000000","proto":"tcp","src_port":62481,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 2.775885996013431, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002253453621b1d1f71ab7ee00b2c2b074bd\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239124017b523a487804cf3fdb444d805c0256c62\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\u0001\\u0003\\u0000\\u001d\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000\\u0000x\\u0015\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022)\ufffdUx\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022mssql\u0022, \u0022smb\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":41},{"id":9282805,"ip":"203.113.107.63","ts":"2026-06-15 17:03:59.000000","proto":"tcp","src_port":56819,"dst_port":445,"service":"smb","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002200000048\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 3.701137069879752, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022smb\u0022, \u0022app_proto\u0022: \u0022smb\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 445, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290eadff6383eb9d1d8f3257adde4c79c467b3287\u0022, \u0022event_fingerprint\u0022: \u0022c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cb970f018306412ae8aedb1d637f4198\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bdce039df2a4db5c03b9bfd1aaafea1b8a5a4d88\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022evidence_snippet\u0022: \u0022T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022, \u0022dst_port\u0022: 445, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-smb\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\u0018\\u0001(\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Dm\\u0000\\u0000B\ufffd\\u00001\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022smb\u0022, \u0022service_banner\u0022: \u0022honeypot-smb\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022445\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":88},{"id":9282785,"ip":"203.113.107.63","ts":"2026-06-15 17:03:57.000000","proto":"tcp","src_port":56330,"dst_port":445,"service":"smb","classification":"smb_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022service\u0022: \u0022smb\u0022, \u0022app_proto\u0022: \u0022smb\u0022, \u0022asn\u0022: 23969, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 445, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290eadff6383eb9d1d8f3257adde4c79c467b3287\u0022, \u0022event_fingerprint\u0022: \u0022c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 23969, \u0022org\u0022: \u0022TOT Public Company Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022b6c073dc229e6284b4cae7886c46d504\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef65a26a218aa90e71bfdd5be23cdac9a07fef86\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 21}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 21, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022, \u0022dst_port\u0022: 445, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-smb\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 445, \u0022service\u0022: \u0022smb\u0022, \u0022service_label_fr\u0022: \u0022SMB\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022445 \u00b7 SMB\u0022, \u0022emulator_service\u0022: \u0022smb\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022smb\u0022, \u0022service_banner\u0022: \u0022honeypot-smb\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022445\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_smb_probe\u0022, \u0022smb_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0}],"total_events":9}