Détails IP 205.210.31.100

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 19/05/2026 22:19 UTC

Dernière observation 20/06/2026 03:51 UTC

Événements (période) 25

MITRE ATT&CK principal TA0007 5 occurrences

Activité suspecte — risque 46/100 (Moyen) — MITRE TA0001 — confiance 54 %

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « ssrf_internal » (signaux protocolaires) · confiance 54%

Confiance 54 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 205.210.31.0/24 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 25 événements sur la période pour cette IP.

35.241.130.26 Sonde port 12371/TCP 20/06/2026 07:16 UTC
35.241.166.201 Sonde port 9095/TCP 20/06/2026 07:16 UTC
34.156.122.218 Sonde SMTP 20/06/2026 07:16 UTC
34.14.33.150 Sonde port 21314/TCP 20/06/2026 07:15 UTC
34.79.151.177 Sonde port 7018/TCP 20/06/2026 07:15 UTC
35.240.3.145 Sonde port 8831/TCP 20/06/2026 07:15 UTC
35.233.88.72 Sonde port 21025/TCP 20/06/2026 07:15 UTC
35.187.97.175 Sonde port 8148/TCP 20/06/2026 07:15 UTC

Événements (filtres)

Première observation

19/05/2026 22:19 UTC

Dernière observation

20/06/2026 03:51 UTC

Dernière activité (filtres)

20/06/2026 03:51 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 6 HTTP TCP 4 SVN TCP 2 MEMCACHED ALT TCP 1 ORACLE TCP 1 POP3 TCP 1 SSH TCP 1

TLS

HTTP

SVN

MEMCACHED ALT

ORACLE

POP3

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 41 Port 4022 ssrf_internal

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

ssrf internal · port 4022 · (tentative d'exploit)

Détails protocole

Aperçu payload

7net.tcp://127.0.0.1:4022/Microsoft/VisualStudio/msvsmon

Port / service

4022

Raison confiance

Confiance 54 % — Motif catalogue confirmé

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

CRS-920350

Confiance

54%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

25 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

25 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
20/06/2026 03:51:02 UTC	TCP	4022	—	SSRF interne ssrf internal · port 4022 · (tentative d'exploit)	Faible	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4022 Chemin / cible — Payload 7net.tcp://127.0.0.1:4022/Microsoft/VisualStudio/msvsmon Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 54% Risque capteur Moyen · 46 Confiance : Confiance 54 % — Motif catalogue confirmé Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Localhost SSRF LFI Double-dot bypass Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) 7net.tcp://127.0.0.1:4022/Microsoft/VisualStudio/msvsmon Requête brute (extrait) 7net.tcp://127.0.0.1:4022/Microsoft/VisualStudio/msvsmon Meta JSON brut { "bytes_in": 65, "payload_entropy": 4.824301613321883, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 4022, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 15 }, "risk_score": 46, "tag_count": 0, "anomaly_count": 0, "campaign_key": "301140883d753617978f08ef9e926fcb51eafbc7", "event_fingerprint": "c5c0026d9eb7f6e5618549bcbd0aec78d0c9e8a5", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.54, "classification_confidence": 0.54, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0340", "pat-0103", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSRF Localhost SSRF", "LFI Double-dot bypass", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0340", "pat-0103", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "risk_confidence_factor": 54, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ffd87479a3124c1982dab377943df477", "path_pattern_hash": "2926fa5ba65a298fe7630f4e1d1dd6ea" }, "target_context": { "dst_port": 4022, "risk_score": 46 }, "payload_preview": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b\f", "request_sample": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b\f", "payload_snippet": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b", "evidence": { "request_sample": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b\f", "payload_snippet": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89ff845def53969accd969cfe87cff4972887d64", "protocol_details": { "payload_preview": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b", "port": 4022 }, "evidence_snippet": "7net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon", "attack_vector": "ssrf internal \u00b7 port 4022 \u00b7 (tentative d'exploit)", "target_port_label": "4022", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 54 %", "confidence_pct": 54, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 4022, "protocol_emulated": null, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon\u0003\b", "port": 4022 }, "attack_vector": "ssrf internal \u00b7 port 4022 \u00b7 (tentative d'exploit)", "evidence_snippet": "7net.tcp:\/\/127.0.0.1:4022\/Microsoft\/VisualStudio\/msvsmon", "target_port_label": "4022", "emulator_service": null, "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "4022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
20/06/2026 00:17:45 UTC	TCP	10001 · MEMCACHED ALT	memcached-alt	Sonde Memcached memcached-alt · via MEMCACHED ALT:10001 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur MEMCACHED-ALT WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10001 Chemin / cible — Service MEMCACHED ALT Payload I20100 Pourquoi cette classification : Type « memcached-alt » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) I20100 Meta JSON brut { "protocol_emulated": true, "emulator_response": "56455253494f4e20312e362e360d0a", "emulator_response_len": 15, "bytes_in": 7, "payload_entropy": 2.128085278891394, "port_category": "registered", "org": "Google LLC", "service": "memcached-alt", "app_proto": "memcached-alt", "asn": 396982, "country": "US", "dst_port": 10001, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "140e92b59595c15f27661830384dc2811c171835", "event_fingerprint": "774499d61a821a4bd2b4da0dfeb387978087a7bf", "classification_reason": "Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "named_classification_skipped": false, "service_name": "memcached-alt", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "afebcfbcdf4c66b1d1eee9adb34349ee", "path_pattern_hash": "927bc142a6309629937cd02fbd617a2e" }, "target_context": { "dst_port": 10001, "service": "memcached-alt", "service_name": "memcached-alt", "risk_score": 1 }, "payload_preview": "\u0001I20100", "request_sample": "\u0001I20100", "payload_snippet": "\u0001I20100", "evidence": { "request_sample": "\u0001I20100", "payload_snippet": "\u0001I20100", "classification_reason": "Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19dc96ab87f7f633c9d618d75a92537ba831cba4", "protocol_details": { "payload_preview": "\u0001I20100", "port": 10001, "service": "memcached-alt", "service_label_fr": "MEMCACHED ALT" }, "evidence_snippet": "I20100", "attack_vector": "memcached-alt \u00b7 via MEMCACHED ALT:10001 \u00b7 (sonde \/ probe)", "target_port_label": "10001 \u00b7 MEMCACHED ALT", "emulator_service": "memcached-alt", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "memcached-alt", "service_label_fr": "MEMCACHED ALT", "dst_port": 10001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-memcached-alt", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0001I20100", "port": 10001, "service": "memcached-alt", "service_label_fr": "MEMCACHED ALT" }, "attack_vector": "memcached-alt \u00b7 via MEMCACHED ALT:10001 \u00b7 (sonde \/ probe)", "evidence_snippet": "I20100", "target_port_label": "10001 \u00b7 MEMCACHED ALT", "emulator_service": "memcached-alt", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "memcached_alt", "service_banner": "honeypot-memcached-alt", "service_os": "linux", "dst_port": "10001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
19/06/2026 22:05:58 UTC	TCP	2085 · HTTP	http	Scanner web web scanner · via HTTP:2085 · (sonde / probe)	Élevée	Moyen · 47
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET / UA Hello from Palo Alto Networks, find out more about our scans in… Émulateur HTTP WAF 23 Recommandation Surveiller Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2085 Chemin / cible / Service HTTP Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100% Confiance classification 100% Risque capteur Moyen · 47 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Scanner Palo Alto Upstream Waf Score Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass UA Palo Alto Networks Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF lfi-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2085 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs- Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2085 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "d202884bf63da2cb3762fbb22c32dfe9c0bf880b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.104109930709399, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 2085, "risk_waf": 57.5, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "efb10d43e4e66f7080594a004005608e33e83fd3", "event_fingerprint": "048195c9c50c3190d29ef5a439fb26a7942cab00", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0460" ], "matched_pattern_names": [ "LFI Double-dot bypass", "UA Palo Alto Networks" ], "pattern_ids": [ "pat-0103", "pat-0460" ], "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ce3935d92be5f9290d282e51ab604b41", "payload_hash": "645e0caf6b26fa4e1d307873f78614af", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2085, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "evidence": { "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af14fdf4cc2a96a27716c0f54d4c3969cc30d9b3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 2085, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "attack_vector": "web scanner \u00b7 via HTTP:2085 \u00b7 (sonde \/ probe)", "target_port_label": "2085 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 47 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2085, "protocol_emulated": null, "tags_summary": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Scanner Palo Alto", "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 2085, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "web scanner \u00b7 via HTTP:2085 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2085\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "target_port_label": "2085 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2085" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_ua_disclosed_scanner" ], "asn_dc_heuristic": true }
15/06/2026 23:55:42 UTC	TCP	1521 · ORACLE	oracle	oracle tns probe oracle tns probe · via ORACLE:1521 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ORACLE WAF — Recommandation Surveiller Tags net_oracle_tns_probe oracle_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1521 Chemin / cible — Service ORACLE Pourquoi cette classification : Type « oracle_tns_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f002e0000060000000000280000000c41434345505428444541444245454629", "emulator_response_len": 33, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": "oracle", "app_proto": "oracle", "asn": 396982, "country": "US", "dst_port": 1521, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "df9ef210b8fba38a22c3789f02a1df579c017230", "event_fingerprint": "5e232d65a022f2a64f918c38abebffe661d59604", "classification_reason": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "oracle", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "420e91c120535c16728a9791d446fafc" }, "target_context": { "dst_port": 1521, "service": "oracle", "service_name": "oracle", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5209ee4de9fc967a562b168d0f29656f5599802b", "protocol_details": { "port": 1521, "service": "oracle", "service_label_fr": "ORACLE" }, "attack_vector": "oracle tns probe \u00b7 via ORACLE:1521 \u00b7 (sonde \/ probe)", "target_port_label": "1521 \u00b7 ORACLE", "emulator_service": "oracle", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "oracle", "service_label_fr": "ORACLE", "dst_port": 1521, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-oracle", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 1521, "service": "oracle", "service_label_fr": "ORACLE" }, "attack_vector": "oracle tns probe \u00b7 via ORACLE:1521 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "1521 \u00b7 ORACLE", "emulator_service": "oracle", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "oracle", "service_banner": "honeypot-oracle", "service_os": "linux", "dst_port": "1521" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_oracle_tns_probe", "oracle_emulated" ], "asn_dc_heuristic": true }
15/06/2026 02:11:47 UTC	TCP	20256	—	Sonde port Sonde port · port 20256 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20256 Chemin / cible — Payload SIe/ 1IDDE Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) SIe/ 1IDDE Meta JSON brut { "bytes_in": 14, "payload_entropy": 3.378783493486176, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 20256, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ee5415bf160646f2a7333b36e4123bd316165308", "event_fingerprint": "c2c43719be593f3ab3360773f7c6c167181e64cd", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1c8a1508f47370d4fe50ffbeff7b3663", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 20256, "risk_score": 44 }, "payload_preview": "SIe\u0000\b\u0000\/ 1IDDE\r", "request_sample": "SIe\u0000\b\u0000\/ 1IDDE\r", "payload_snippet": "SIe\u0000\b\u0000\/ 1IDDE", "evidence": { "request_sample": "SIe\u0000\b\u0000\/ 1IDDE\r", "payload_snippet": "SIe\u0000\b\u0000\/ 1IDDE", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a37448b58404a5b97c5c28d9f20e0ae138f099e9", "protocol_details": { "payload_preview": "SIe\u0000\b\u0000\/ 1IDDE", "port": 20256 }, "evidence_snippet": "SIe\/ 1IDDE", "attack_vector": "Sonde port \u00b7 port 20256 \u00b7 (sonde \/ probe)", "target_port_label": "20256", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 20256, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "SIe\u0000\b\u0000\/ 1IDDE", "port": 20256 }, "attack_vector": "Sonde port \u00b7 port 20256 \u00b7 (sonde \/ probe)", "evidence_snippet": "SIe\/ 1IDDE", "target_port_label": "20256", "emulator_service": null, "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "20256" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
14/06/2026 23:46:12 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload CAPA Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 62% Confiance classification 62% Risque capteur Faible · 38 Confiance : Confiance 62 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux Email Pop3 User Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) CAPA Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 6, "payload_entropy": 2.2516291673878226, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "US", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0bc29430209a1501e4a4048f59725d53efecdcd6", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 74, "precision_signals": [ "INT-EMAIL-pop3-user" ], "kb_rule_ids": [ "INT-EMAIL-pop3-user" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_bruteforce", "service_name": "pop3", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "854ee8becc6b669eae08396a2f3bd91d", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "CAPA\r\n", "request_sample": "CAPA\r\n", "payload_snippet": "CAPA", "evidence": { "request_sample": "CAPA\r\n", "payload_snippet": "CAPA", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c851899e888269d121437e389450989888303897", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "CAPA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "CAPA", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 62 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 62, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "INT-EMAIL-pop3-user" ], "tags_summary_labels_fr": [ "Email Pop3 User" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "CAPA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "CAPA", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 62 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
07/06/2026 22:15:35 UTC	TCP	22 · SSH	ssh	Scan vulnérabilités scanner vuln · via SSH:22 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole SSH SSH-2.0-ZGrab ZGrab SSH Survey Émulateur SSH WAF — Recommandation Surveiller Tags net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-ZGrab ZGrab SSH Survey Payload SSH-2.0-ZGrab ZGrab SSH Survey Pourquoi cette classification : Bannière client SSH reçue · confiance 95% Confiance classification 95% Risque capteur Moyen · 48 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0594 pat-0458 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 ET zgrab fingerprint UA zgrab User-Agent — Règles WAF — Payload (extrait) SSH-2.0-ZGrab ZGrab SSH Survey Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 32, "payload_entropy": 3.965018266288633, "port_category": "well_known", "org": "Google LLC", "service": "ssh", "app_proto": "ssh", "asn": 396982, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "52aff1c3ab5260ce88a91e156d1e2db6de2ba6df", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 108, "precision_signals": [ "pat-0594", "pat-0458" ], "kb_rule_ids": [ "pat-0594", "pat-0458" ], "matched_patterns": [ "pat-0391", "pat-0594", "pat-0458" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "ET zgrab fingerprint", "UA zgrab" ], "pattern_ids": [ "pat-0391", "pat-0594", "pat-0458" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "ssh", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "84c6534ee254dde0af32266cdff575dd", "path_pattern_hash": "b71c8aad2b015494f15e7bb035951b05" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 48 }, "payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n", "request_sample": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n", "payload_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey", "evidence": { "request_sample": "SSH-2.0-ZGrab ZGrab SSH Survey\r\n", "payload_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "03acb1e7e418fe1714adc534f795cc15e97ef652", "protocol_details": { "ssh_banner": "SSH-2.0-ZGrab ZGrab SSH Survey", "payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey", "attack_vector": "scanner vuln \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "pat-0594", "pat-0458" ], "tags_summary_labels_fr": [ "pat-0594", "pat-0458" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-ZGrab ZGrab SSH Survey", "payload_preview": "SSH-2.0-ZGrab ZGrab SSH Survey", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "scanner vuln \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-ZGrab ZGrab SSH Survey", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_ssh_probe", "ssh_banner", "ssh_emulated" ], "asn_dc_heuristic": true }
05/06/2026 16:45:25 UTC	TCP	2605	—	Sonde port	Faible	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2605 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 4, "payload_entropy": 1, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 2605, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 20, "tag_count": 0, "anomaly_count": 0, "campaign_key": "01f6d7f042d41a7e067dd1989a009596172b47d8", "event_fingerprint": "16294b3f18d9487ea4e8b121d2b30bbd69272458", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 2605 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f88b575b77951b87e7b801939000e684d4e35fb", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
05/06/2026 16:45:22 UTC	TCP	2605	—	Sonde port	Faible	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2605 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 2605, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 20, "tag_count": 0, "anomaly_count": 0, "campaign_key": "01f6d7f042d41a7e067dd1989a009596172b47d8", "event_fingerprint": "16294b3f18d9487ea4e8b121d2b30bbd69272458", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 2605 }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76116ca5c9be542df7a90ce866d98ca48b0c0afb", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
01/06/2026 20:51:35 UTC	TCP	2323	—	port attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 07:14:34 UTC	TCP	8888	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "6eaaf20adeb610d2a555fbd7030d65e644d5a1d1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 199, "payload_entropy": 4.911003111110767, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "9ee10b1570b49c7911905b9b5b80d64a2868c4ef", "event_fingerprint": "36f19c924c6f466935adb9e91d07b867f7310dd4", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
29/05/2026 02:07:16 UTC	TCP	30005	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30005 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 219, "payload_entropy": 5.089794683324659, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "e291c424b6419d400e3c07958a9faa054c3ee7bb", "event_fingerprint": "c39fcab651edf9ff48e0ed96197416f48b5cf734", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
28/05/2026 05:05:30 UTC	TCP	4430	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 05:05:29 UTC	TCP	4430	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 16:18:58 UTC	TCP	8022	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 09:36:16 UTC	TCP	3690	svn	svn	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 09:36:13 UTC	TCP	3690	svn	svn	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 00:38:18 UTC	TCP	25789	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 00:38:17 UTC	TCP	25789	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 22:24:22 UTC	TCP	30005	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30005 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 219, "payload_entropy": 5.089794683324659, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "e291c424b6419d400e3c07958a9faa054c3ee7bb", "event_fingerprint": "c39fcab651edf9ff48e0ed96197416f48b5cf734", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
24/05/2026 03:13:39 UTC	TCP	2121	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 10:52:32 UTC	TCP	11911	—	Sonde MongoDB	Élevée	Élevé · 67
Étape — WAF — Recommandation — Tags mongodb_hello_probe Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 10:52:31 UTC	TCP	11911	—	Sonde port	Faible	Faible · 5
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 23:36:11 UTC	TCP	2525	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 23:36:11 UTC	TCP	2525	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

205.210.31.100

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

205.210.31.100

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence