{"ip":"3.19.185.206","exported_at":"2026-06-16T06:17:04+00:00","period_days":7,"metrics":{"events7d":7,"distinct_ports":2,"distinct_classifications":4,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":51,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.08,"risk_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":40,"protocol":0,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":6,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 33\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":40,"protocol":0,"novelty":0,"risk_score":33,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":8,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"Sonde port \u00b7 port 8728 \u00b7 (sonde \/ probe)","protocol_details":{"port":8728},"protocol_summary_fr":null,"evidence_snippet":null,"target_port_label":"8728","emulator_service":null,"confidence_reason":"Confiance faible (0 %) \u2014 classification prudente","classification_reason":"Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","classification_reason_label_fr":"Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","confidence_factors_fr":"Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":null},"events":[{"id":9332497,"ip":"3.19.185.206","ts":"2026-06-16 02:37:02.000000","proto":"tcp","src_port":50944,"dst_port":8728,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8728, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e98149b7ab98674a01d07fe41cd3896d1e59139a\u0022, \u0022event_fingerprint\u0022: \u00227104ee8aaba85431751da15c485717a052fd7175\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.08, \u0022classification_confidence\u0022: 0.08, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8728, \u0022risk_score\u0022: 33}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209f50e2dcde3c10b851a5492c58cfd40f5689eb7\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8728}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 8728 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228728\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 8, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 8728, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8728}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 8728 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228728\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228728\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:8728\u0022, \u0022redis\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9332469,"ip":"3.19.185.206","ts":"2026-06-16 02:36:36.000000","proto":"tcp","src_port":20778,"dst_port":6379,"service":"redis","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.761663568812538, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022redis\u0022, \u0022app_proto\u0022: \u0022redis\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cc777f011dca1c47dcd5ed00da4418db0ec70ea5\u0022, \u0022event_fingerprint\u0022: \u00229c536ce82edfb6f83700eeb7934e9ac49a41747b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e9d350c6e6eae1a31129288f1e853ece\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd{j\\u0017\\u0014\ufffduy\\u0010\ufffd\u0026\ufffdzcgza\ufffd\\u0016\\u001c\\u001f(\ufffd\ufffd\\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\\u001ad\ufffd\\\\\\u000ex\ufffd\\u000e\ufffd@d\ufffd\\u001c\ufffd\ufffd\\t\u003E_\\u0000I\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd{j\\u0017\\u0014\ufffduy\\u0010\ufffd\u0026\ufffdzcgza\ufffd\\u0016\\u001c\\u001f(\ufffd\ufffd\\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\\u001ad\ufffd\\\\\\u000ex\ufffd\\u000e\ufffd@d\ufffd\\u001c\ufffd\ufffd\\t\u003E_\\u0000I\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 r`\ufffd\\f+\ufffd\\\u0022\ufffd\\u001d\\u0013$\ufffd\\\\\ufffd+P{\ufffd\u06da\ufffdn\ufffd\u0649F\\u0001\ufffd\ufffdUo\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd{j\\u0017\\u0014\ufffduy\\u0010\ufffd\u0026\ufffdzcgza\ufffd\\u0016\\u001c\\u001f(\ufffd\ufffd\\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\\u001ad\ufffd\\\\\\u000ex\ufffd\\u000e\ufffd@d\ufffd\\u001c\ufffd\ufffd\\t\u003E_\\u0000I\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c8b7d84e16b874223d9553042991e6ecfe364a77\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd{j\\u0017\\u0014\ufffduy\\u0010\ufffd\u0026\ufffdzcgza\ufffd\\u0016\\u001c\\u001f(\ufffd\ufffd\\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\\u001ad\ufffd\\\\\\u000ex\ufffd\\u000e\ufffd@d\ufffd\\u001c\ufffd\ufffd\\t\u003E_\\u0000I\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd{j\ufffduy\ufffd\u0026\ufffdzcgza\ufffd(\ufffd\ufffd\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[d\ufffd\\\\x\ufffd\ufffd@d\ufffd\ufffd\ufffd\\t\u003E_I\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022, \u0022dst_port\u0022: 6379, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Redis 7.0\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd{j\\u0017\\u0014\ufffduy\\u0010\ufffd\u0026\ufffdzcgza\ufffd\\u0016\\u001c\\u001f(\ufffd\ufffd\\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\\u001ad\ufffd\\\\\\u000ex\ufffd\\u000e\ufffd@d\ufffd\\u001c\ufffd\ufffd\\t\u003E_\\u0000I\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd{j\ufffduy\ufffd\u0026\ufffdzcgza\ufffd(\ufffd\ufffd\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[d\ufffd\\\\x\ufffd\ufffd@d\ufffd\ufffd\ufffd\\t\u003E_I\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022redis\u0022, \u0022service_banner\u0022: \u0022Redis 7.0\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226379\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022redis\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":243},{"id":9332468,"ip":"3.19.185.206","ts":"2026-06-16 02:36:34.000000","proto":"tcp","src_port":20776,"dst_port":6379,"service":"redis","classification":"port_6379_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022redis\u0022, \u0022app_proto\u0022: \u0022redis\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b10303bd0e441f9f60f46376cbc4ca72292b5068\u0022, \u0022event_fingerprint\u0022: \u00229c536ce82edfb6f83700eeb7934e9ac49a41747b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022redis_probe\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u002242eb67f6877c6439dbde87dd6ec1f324\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bb6c7015c5a55c8ee4d3064ed778f3ffa5d9b456\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Commande Redis : *1\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022, \u0022dst_port\u0022: 6379, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Redis 7.0\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Commande Redis : *1\u0022, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022attack_vector\u0022: \u0022port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022redis\u0022, \u0022service_banner\u0022: \u0022Redis 7.0\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226379\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022redis\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":14},{"id":9332451,"ip":"3.19.185.206","ts":"2026-06-16 02:36:17.000000","proto":"tcp","src_port":27174,"dst_port":8728,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022tls_alpn\u0022: [\u0022h2\u0022, \u0022http\/1.1\u0022], \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.92263769164128, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8728, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022560b7efe274ad7042f8ee52930af1cb26fcc2f60\u0022, \u0022event_fingerprint\u0022: \u0022421949bfd9626ee2a36d74822f4634c16ef80fcd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022payload_hash\u0022: \u00221d88104e56514299cb6e7c60e74bb2eb\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8728, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0016\ufffd(\\u000bJ\\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\\b\u0771y)l\ufffd\\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\\u0019\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0016\ufffd(\\u000bJ\\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\\b\u0771y)l\ufffd\\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\\u0019\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\ufffd(\ufffd\ufffd\u0306g\\u001d\ufffd}D,\u079f^\u0642\ufffd;,+-r;\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0016\ufffd(\\u000bJ\\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\\b\u0771y)l\ufffd\\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\\u0019\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233a74a7213578e0b2b700b3740404791dc85577f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0016\ufffd(\\u000bJ\\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\\b\u0771y)l\ufffd\\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\\u0019\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022port\u0022: 8728, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd(J\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\u0771y)l\ufffd S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8728 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228728 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 8728, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0016\ufffd(\\u000bJ\\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\\b\u0771y)l\ufffd\\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\\u0019\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022port\u0022: 8728, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:8728 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd(J\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd\u003E\ufffd\ufffd5\u0771y)l\ufffd S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00228728 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228728\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022redis\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"7c1e207beb00684bbbe144f1b0abe1d5","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-16-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9332432,"ip":"3.19.185.206","ts":"2026-06-16 02:35:50.000000","proto":"tcp","src_port":17584,"dst_port":8728,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00226bd3154a88ac556741885ed569cfb89736385db4\u0022, \u0022http_host_hash\u0022: \u0022261a4adf90d8ced3ef11173e26148fe8ecb06636\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.295329159959702, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8728, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c920204440f41ab9ef786a5de9bcb5131b69e0ed\u0022, \u0022event_fingerprint\u0022: \u00226803d4af34f405f880a6b0f9e5ff7e63d7e4bf16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.7, \u0022classification_confidence\u0022: 0.7, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022cb226636f11f4f631f065fb419a8bab8\u0022, \u0022payload_hash\u0022: \u00220a35fd9ba2d9aa3ecc163e0917da678c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8728, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022443bbb405af73ca771c6290848206263434b695e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8728, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8728 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228728 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 70, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8728, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8728, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8728 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8728\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022target_port_label\u0022: \u00228728 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228728\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022redis\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8728","http_user_agent":"visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":191},{"id":9332423,"ip":"3.19.185.206","ts":"2026-06-16 02:35:45.000000","proto":"tcp","src_port":25136,"dst_port":6379,"service":"redis","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.9706909027278625, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022redis\u0022, \u0022app_proto\u0022: \u0022redis\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cc777f011dca1c47dcd5ed00da4418db0ec70ea5\u0022, \u0022event_fingerprint\u0022: \u00229c536ce82edfb6f83700eeb7934e9ac49a41747b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002267bfb76b1723776a951bf4af2e01dc90\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003pAc}\\u001dQ\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\\u0010\ufffdkf\\u0016\ufffd\\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\\u0001\\u0002\ufffd\ufffd\ufffd\ufffd\\u0014\ufffd,W\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003pAc}\\u001dQ\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\\u0010\ufffdkf\\u0016\ufffd\\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\\u0001\\u0002\ufffd\ufffd\ufffd\ufffd\\u0014\ufffd,W\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd%E\ufffdL\ufffd\ufffdN0\\\\\\u001e\ufffd\ufffd\ufffd\\u0010@x\ufffd\ufffd\\u0015.\ufffdU\\u0004\ufffd\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003pAc}\\u001dQ\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\\u0010\ufffdkf\\u0016\ufffd\\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\\u0001\\u0002\ufffd\ufffd\ufffd\ufffd\\u0014\ufffd,W\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e5f0a2e676574aa5f06e810ac842d4313c38ef24\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003pAc}\\u001dQ\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\\u0010\ufffdkf\\u0016\ufffd\\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\\u0001\\u0002\ufffd\ufffd\ufffd\ufffd\\u0014\ufffd,W\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdpAc}Q\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\ufffdkf\ufffd\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,W\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022, \u0022dst_port\u0022: 6379, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Redis 7.0\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003pAc}\\u001dQ\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\\u0010\ufffdkf\\u0016\ufffd\\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\\u0001\\u0002\ufffd\ufffd\ufffd\ufffd\\u0014\ufffd,W\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdpAc}Q\u0026@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\ufffdkf\ufffd\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,W\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022redis\u0022, \u0022service_banner\u0022: \u0022Redis 7.0\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226379\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_redis_probe\u0022, \u0022redis_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":261},{"id":9332413,"ip":"3.19.185.206","ts":"2026-06-16 02:35:40.000000","proto":"tcp","src_port":25010,"dst_port":6379,"service":"redis","classification":"port_6379_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.282814188621675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022service\u0022: \u0022redis\u0022, \u0022app_proto\u0022: \u0022redis\u0022, \u0022asn\u0022: 16509, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 6379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 46.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225402c9916180e82dae639eb541e81260d5f1fe65\u0022, \u0022event_fingerprint\u0022: \u00229c536ce82edfb6f83700eeb7934e9ac49a41747b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022redis_probe\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 16509, \u0022org\u0022: \u0022Amazon.com, Inc.\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224720ec2740921243f80c24a05af13e2f\u0022, \u0022path_pattern_hash\u0022: \u002242eb67f6877c6439dbde87dd6ec1f324\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ddd663adaf91664425b28c99bce1bc3d30addc29\u0022, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022attack_vector\u0022: \u0022port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022, \u0022dst_port\u0022: 6379, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Redis 7.0\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022redis_command_fr\u0022: \u0022Sonde protocole Redis\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022port\u0022: 6379, \u0022service\u0022: \u0022redis\u0022, \u0022service_label_fr\u0022: \u0022REDIS\u0022}, \u0022attack_vector\u0022: \u0022port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6379\\r\\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/\u0022, \u0022target_port_label\u0022: \u00226379 \u00b7 REDIS\u0022, \u0022emulator_service\u0022: \u0022redis\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022redis\u0022, \u0022service_banner\u0022: \u0022Redis 7.0\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226379\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_redis_probe\u0022, \u0022redis_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_redis_probe\u0022, \u0022redis_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":191}],"total_events":7}